request #28257 Missing authentication of webhook requests made to the Jenkins Branch Source plugin

Artifact

Infos

Artifact ID#28257

Submitted byThomas Gerbet (tgerbet)

Last Modified On2022-10-19 08:41

Submitted on2022-08-23 17:12

Rank29809

Details

Summary *

Missing authentication of webhook requests made to the Jenkins Branch Source plugin

Original Submission

The Jenkins Branch Source plugin does not authenticate requests triggering the webhook endpoint.

Impact

A malicious unauthenticated user could use this to trigger builds.

References

CWE 693
SECURITY-2852
CVE-2022-43421

CategoryJenkins Branch Source plugin

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2022-09-19

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #27177	Tuleap	Releases	14.1	Delivered	2022-13-10 15:53	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #28257

Git commit

tuleap/tuleap/stable

Add a token to Jenkins Tuleap plugin hook trigger payload to be able to authenticate the trigger 68785d2042

Thomas Gerbet (tgerbet) , 2022-08-30 09:32

Make the token used to authenticate the Jenkins plugin hook trigger usable only once 5ab1899b7d

Thomas Gerbet (tgerbet) , 2022-09-16 11:44

Show items referenced by request #28257

Referenced by request #28257

Artifact Tracker v5

rel #27177 14.1

Git commit

tuleap/tuleap/stable

Make the token used to authenticate the Jenkins plugin hook trigger usable only once 5ab1899b7d

Thomas Gerbet (tgerbet) , 2022-09-16 11:44

Other

gerrit #26630

Follow-ups

Thomas Gerbet (tgerbet)

2022-10-19 08:41

CVE-2022-43421 has been assigned to this issue (well for the Jenkins side since the issue does not impact Tuleap).

Public disclosure.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Manuel Vacelet (vaceletm)

2022-09-19 11:55

Integrated in Tuleap 14.0.99.11

Assigned to changed from None to Thomas Gerbet (tgerbet)
Connected artifacts
- Added Fixed in: rel #27177

Tracker Workflow Manager (forge__tracker_workflow_manager)

2022-09-19 11:55

Closed by @tgerbet with git #tuleap/stable/5ab1899b7de67e8735dfca87b614025ffee27941.

Status changed from Verified to Closed
Close date set to 2022-09-19

Clarck Robinson (robinsoc)

2022-09-01 15:30

gerrit #26630 integrated into Tuleap 13.12.99.72.