2044497 – (CVE-2022-20614) CVE-2022-20614 jenkins-2-plugins/mailer: does not perform a permission check in a method implementing form validation

Bug 2044497 (CVE-2022-20614) - CVE-2022-20614 jenkins-2-plugins/mailer: does not perform a permission check in a method implementing form validation

Summary: CVE-2022-20614 jenkins-2-plugins/mailer: does not perform a permission check ...

Keywords:
Status:	NEW
Alias:	CVE-2022-20614
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2044913 2044914 2044915 2047839
Blocks:	2044461
TreeView+	depends on / blocked

Reported:	2022-01-24 17:17 UTC by Michael Kaplan
Modified:	2023-07-07 08:28 UTC (History)
CC List:	10 users (show)
Fixed In Version:	mailer plugin 408.vd726a_1130320
Doc Type:	If docs needed, set a value
Doc Text:	A missing permissions verification vulnerability was found in the Jenkins Mailer plugin. The form validation method does not perform a permission check which allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2022-01-24 17:17:35 UTC

A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Reference:

https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2163

Comment 1 Adam Kaplan 2022-01-26 18:52:54 UTC

The Mailer plugin is a direct dependency of the openshift-login-plugin. This plugin will need to fix its dependencies before we update Mailer in our Jenkins distributions.

Note You need to log in before you can comment on or make changes to this bug.