•  
      request #28257 Missing authentication of webhook requests made to the Jenkins Branch Source plugin
    Infos
    #28257
    Thomas Gerbet (tgerbet)
    2022-10-19 08:41
    2022-08-23 17:12
    29821
    Details
    Missing authentication of webhook requests made to the Jenkins Branch Source plugin

    The Jenkins Branch Source plugin does not authenticate requests triggering the webhook endpoint.

    Impact

    A malicious unauthenticated user could use this to trigger builds.

    References

    CWE 693
    SECURITY-2852
    CVE-2022-43421

    Jenkins Branch Source plugin
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2022-09-19
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2022-10-19 08:41

    CVE-2022-43421 has been assigned to this issue (well for the Jenkins side since the issue does not impact Tuleap).

    Public disclosure.


    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes