CVE-2022-43407

HIGH

Jenkins Pipeline: Input Step Plugin <451.vf1a_a_4f405289 - CSRF Bypass

Title source: llm

Description

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with.

References (2)

Core 2

Core References

Vendor Advisory

https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880

Mailing List, Third Party Advisory mailing-list

http://www.openwall.com/lists/oss-security/2022/10/19/3

Scores

CVSS v3 8.8

EPSS 0.0002

EPSS Percentile 5.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (2)

jenkins/pipeline\ < 451.vf1a_a_4f405289

org.jenkins-ci.plugins/pipeline-input-step 0 - 456.vd8a_957db_5b_e9Maven

Published Oct 19, 2022

Tracked Since Feb 18, 2026