CVE-2022-34212 - A missing permission check in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers

CVE-2022-34212

Summary

A missing permission check in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL.

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2279

Vulnerable Configurations

cpe:2.3:a:jenkins:vrealize_orchestrator:1.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:vrealize_orchestrator:1.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:vrealize_orchestrator:1.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:vrealize_orchestrator:1.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:vrealize_orchestrator:2.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:vrealize_orchestrator:2.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:vrealize_orchestrator:3.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:vrealize_orchestrator:3.0:*:*:*:*:jenkins:*:*

CVSS

Base:	3.5 (as of 03-11-2023 - 19:04)
Impact:
Exploitability:

CWE

CWE-862

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	SINGLE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:S/C:N/I:P/A:N

Last major update

03-11-2023 - 19:04

Published

23-06-2022 - 17:15

Last modified

03-11-2023 - 19:04