2136369 – (CVE-2022-43410) CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin

Bug 2136369 (CVE-2022-43410) - CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin

Summary: CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-43410
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2136612
Blocks:	2136368
TreeView+	depends on / blocked

Reported:	2022-10-20 05:23 UTC by Avinash Hanwate
Modified:	2023-03-06 12:22 UTC (History)
CC List:	3 users (show)
Fixed In Version:	mercurial 1260.vdfb_723cdcc81
Doc Type:	If docs needed, set a value
Doc Text:	An information leak was found in a Jenkins plugin. This issue could allow an unauthenticated remote attacker to issue GET requests. The greatest impact is to confidentiality.
Clone Of:
Environment:
Last Closed:	2023-03-06 12:22:05 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:1064	0	None	None	None	2023-03-06 08:59:03 UTC

Description Avinash Hanwate 2022-10-20 05:23:09 UTC

In Mercurial Plugin 1251.va_b_121f184902 and earlier, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Mercurial repository URLs to obtain information about the existence of jobs configured with this Mercurial repository.

https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831

Comment 4 errata-xmlrpc 2023-03-06 08:59:01 UTC

This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2023:1064 https://access.redhat.com/errata/RHSA-2023:1064

Comment 5 Product Security DevOps Team 2023-03-06 12:22:03 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-43410

Note You need to log in before you can comment on or make changes to this bug.