Bug 2136369 (CVE-2022-43410) - CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin
Summary: CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names...
Keywords:
Status: NEW
Alias: CVE-2022-43410
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2136612
Blocks: 2136368
TreeView+ depends on / blocked
 
Reported: 2022-10-20 05:23 UTC by Avinash Hanwate
Modified: 2022-11-03 18:23 UTC (History)
3 users (show)

Fixed In Version: mercurial 1260.vdfb_723cdcc81
Doc Type: If docs needed, set a value
Doc Text:
An information leak was found in a Jenkins plugin. This issue could allow an unauthenticated remote attacker to issue GET requests. The greatest impact is to confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Avinash Hanwate 2022-10-20 05:23:09 UTC
In Mercurial Plugin 1251.va_b_121f184902 and earlier, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Mercurial repository URLs to obtain information about the existence of jobs configured with this Mercurial repository.

https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831


Note You need to log in before you can comment on or make changes to this bug.