CVE-2022-20614 - OpenCVE

A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Mailer
Oracle	Communications Cloud Native Core Automated Test Suite

Configuration 1 [-]

OR	cpe:2.3:a:jenkins:mailer::::::jenkins::*
	cpe:2.3:a:jenkins:mailer:391.ve4a_38c1b_cf4b_:-::::::

Configuration 2 [-]

cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/01/12/6	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2163	Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jenkins

Published: 2022-01-12T00:00:00

Updated: 2023-10-24T14:19:02.456Z

Reserved: 2021-10-28T00:00:00

Link: CVE-2022-20614

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-01-12T20:15:08.763

Modified: 2023-11-22T21:30:49.813

Link: CVE-2022-20614

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:mailer:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "FC5981AF-B324-430E-8395-D47C87B42056", "versionEndExcluding": "1.34.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:mailer:391.ve4a_38c1b_cf4b_:-:*:*:*:*:*:*", "matchCriteriaId": "3B00EC51-59E1-4541-A47C-D8D348DA01AC", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4CA84D6-F312-4C29-A02B-050FCB7A902B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname."}, {"lang": "es", "value": "Una comprobaci\u00f3n de permiso faltante en el plugin Jenkins Mailer versiones 391.ve4a_38c1b_cf4b_ y anteriores, permite a atacantes con acceso Overall/Read usar el DNS usado por la instancia Jenkins para resolver un nombre de host especificado por el atacante"}], "id": "CVE-2022-20614", "lastModified": "2023-11-22T21:30:49.813", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-12T20:15:08.763", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2163"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}