CVE-2022-43408: Inappropriate Encoding for Output Context

October 19, 2022 (updated October 22, 2022)

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of ‘input’ steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify ‘input’ step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.

References

www.openwall.com/lists/oss-security/2022/10/19/3
github.com/advisories/GHSA-g975-f26h-93g8
nvd.nist.gov/vuln/detail/CVE-2022-43408
www.jenkins.io/security/advisory/2022-10-19/

Code Behaviors & Features

Detect and mitigate CVE-2022-43408 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →