CVE-2022-43408

Description

Jenkins Pipeline: Stage View Plugin provides a visualization of Pipeline builds. It also allows users to interact with `input` steps from Pipeline: Input Step Plugin. Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of `input` steps when using it to generate URLs to proceed or abort Pipeline builds. This allows attackers able to configure Pipelines to specify `input` step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins. Pipeline: Stage View Plugin 2.27 correctly encodes the ID of `input` steps when using it to generate URLs to proceed or abort Pipeline builds.

How to fix CVE-2022-43408

To remediate CVE-2022-43408, upgrade the affected package to a fixed version below.

• —upgrade to 2.27 or later

Is CVE-2022-43408 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2.25, < 2.27

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-43408
• WEBgithub.com/jenkinsci/pipeline-stage-view-plugin/commit/cee275109ee748fa9f599ec60159807a28a2933f
• WEBwww.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828
• WEBwww.openwall.com/lists/oss-security/2022/10/19/3