Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 831085 (CVE-2022-20612)

Summary: dev-util/jenkins-bin: build job triggerable without parameters
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: hydrapolic, patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-12 21:18:52 UTC 
CVE-2022-20612:

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.

Please bump to 2.329.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-13 10:29:12 UTC 
*** Bug 831122 has been marked as a duplicate of this bug. ***
Comment 2 Patrick Lauer gentoo-dev 2022-01-13 10:39:55 UTC 
commit ea6a1bf6e65dd45503b9127c7a00869b8f1d6430
Author: Hans de Graaff <graaff@gentoo.org>
Date:   Thu Jan 13 07:56:35 2022 +0100

    dev-util/jenkins-bin: add 2.319.2, 2.330

    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>