Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-v7xh-h48c-xw5f] Revising Integrity and Availability from High to None #5198

Open
wants to merge 1 commit into
base: lucia-di-lammermoor/advisory-improvement-5198
Choose a base branch
from
Open

[GHSA-v7xh-h48c-xw5f] Revising Integrity and Availability from High to None #5198

wants to merge 1 commit into from
+2 −2

Conversation

lucia-di-lammermoor
Copy link

Summary

The Integrity (I) and Availability (A) ratings of CVE-2021-21633 / GHSA-v7xh-h48c-xw5f should be revised as follows:

  • The Integrity (I) should be updated from High (H) to None (N) because this vulnerability pertains primarily to unauthorized data disclosure, not data tampering. There is no evidence suggesting that attackers can modify data within the impacted component.
  • The Availability (A) should be updated from High (H) to None (N) because this vulnerability does not affect the availability of Jenkins or its services. There is no indication of mechanisms, such as denial of service, being involved.

GHSA Description

Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing "Secret text" credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential is used, if set up, and can likewise be captured.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Jenkins OWASP Dependency-Track Plugin 3.1.1 requires POST requests and appropriate permissions for the affected HTTP endpoints.

CVSS 3.x Specifications for Intergerity

Metric Value Description
High (H) There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.
Low (L) Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
None (N) There is no loss of integrity within the impacted component.

CVSS 3.x Specifications for Availability

Metric Value Description
High (H) There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
Low (L) Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.
None (N) There is no impact to availability within the impacted component.

Supporting Examples

Furthermore, two similar CVEs for Jenkins plugins have both been rated as I:N/A:N under comparable circumstances:

  • CVE-2021-21632 / GHSA-xfrw-pcmc-r2p3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

    Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

    This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing "Secret text" credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential is used, if set up, and can likewise be captured.

    Jenkins OWASP Dependency-Track Plugin 3.1.1 requires appropriate permissions for the affected HTTP endpoints.

  • CVE-2023-23848 / GHSA-c3v2-5388-v8pw (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

    Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
    (END)

@github-actions github-actions bot changed the base branch from main to lucia-di-lammermoor/advisory-improvement-5198 January 18, 2025 23:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lucia-di-lammermoor