{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.329", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "LTS 2.319.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:19:00.155Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2022-20612", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.329"}, {"version_affected": "<=", "version_value": "LTS 2.319.1"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:17:53.077Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2022-20612", "datePublished": "2022-01-12T19:05:44", "dateReserved": "2021-10-28T00:00:00", "dateUpdated": "2024-08-03T02:17:53.077Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "ADE588E8-C485-4BA1-BBF6-50DC4B8C86BC", "versionEndIncluding": "2.319.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "08A2ED7E-D17B-4A19-BB96-CB2AD13039BF", "versionEndIncluding": "2.329", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4CA84D6-F312-4C29-A02B-050FCB7A902B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set."}, {"lang": "es", "value": "Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins versiones 2.329 y anteriores, LTS versiones 2.319.1 y anteriores, permite a atacantes desencadenar una construcci\u00f3n de un trabajo sin par\u00e1metros cuando no se establece un \u00e1mbito de seguridad"}], "id": "CVE-2022-20612", "lastModified": "2023-11-22T21:32:37.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-12T20:15:08.653", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:0555", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-0:2.319.2.1644411558-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2022-02-24T00:00:00Z"}, {"advisory": "RHSA-2022:0565", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "jenkins-0:2.319.2.1643964085-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2022-02-25T00:00:00Z"}, {"advisory": "RHSA-2022:0491", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "jenkins-0:2.319.2.1643882372-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0483", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "jenkins-0:2.319.2.1643648617-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2022-02-16T00:00:00Z"}, {"advisory": "RHSA-2022:0339", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "jenkins-0:2.319.2.1643391771-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2022-02-10T00:00:00Z"}], "bugzilla": {"description": "jenkins: no POST request is required for the endpoint handling manual build requests which could result in CSRF", "id": "2044460", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044460"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-352", "details": ["A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.", "A Cross-site request forgery (CSRF) vulnerability was found in Jenkins. The POST requests are not required for the HTTP endpoint handling manual build requests when no security realm is set. This flaw allows an attacker to trigger the building of a job without parameters."], "name": "CVE-2022-20612", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat JBoss Fuse 7"}], "public_date": "2022-01-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-20612\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-20612\nhttps://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558"], "threat_severity": "Moderate", "upstream_fix": "jenkins 2.330, jenkins LTS 2.319.2"}