CVE-2022-43408

MEDIUM

Jenkins Pipeline: Stage View Plugin <2.26 - CSRF Bypass

Title source: llm

Description

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.

References (2)

Core 2

Core References

Vendor Advisory

https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828

Mailing List, Third Party Advisory mailing-list

http://www.openwall.com/lists/oss-security/2022/10/19/3

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 4.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (2)

jenkins/pipeline\ < 2.27

org.jenkins-ci.plugins.pipeline-stage-view/pipeline-stage-view 2.25 - 2.27Maven

Published Oct 19, 2022

Tracked Since Feb 18, 2026