Bug 2136369 (CVE-2022-43410) - CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin
Summary: CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-43410
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2136612
Blocks: 2136368
TreeView+ depends on / blocked
 
Reported: 2022-10-20 05:23 UTC by Avinash Hanwate
Modified: 2023-03-06 12:22 UTC (History)
3 users (show)

Fixed In Version: mercurial 1260.vdfb_723cdcc81
Clone Of:
Environment:
Last Closed: 2023-03-06 12:22:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1064 0 None None None 2023-03-06 08:59:03 UTC

Description Avinash Hanwate 2022-10-20 05:23:09 UTC 
In Mercurial Plugin 1251.va_b_121f184902 and earlier, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Mercurial repository URLs to obtain information about the existence of jobs configured with this Mercurial repository.

https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831
Comment 4 errata-xmlrpc 2023-03-06 08:59:01 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2023:1064 https://access.redhat.com/errata/RHSA-2023:1064
Comment 5 Product Security DevOps Team 2023-03-06 12:22:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-43410
Note You need to log in before you can comment on or make changes to this bug.