This issue does not affect Pipelines. As of Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier, this issue can be exploited by attackers to configure Jenkins to build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with. This issue does not affect Pipelines. CVE-2018-5682: Cross-site request forgery This issue does not affect Pipelines. As of Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier, this issue can be exploited by attackers to configure Jenkins to build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input’ step is interacted with. This issue does not affect Pipelines.

Changes to the Pipeline Plugin

As of Pipeline Plugin v2.0.4, released on July 16, 2018 and later: * The issue mentioned in CVE-2018-5682 has been fixed * The issue mentioned in CVE-2022-43407 has been resolved

Summary

This issue does not affect Pipelines. As of Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier, this issue can be exploited by attackers to configure Jenkins to build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with. This issue does not affect Pipelines.
The following plugin versions are affected:
451.vf1a_a_4f405289 and earlier
The following pipelines are affected:
Homepage

How to update Jenkins?

The following instructions will help you update your Jenkins server to the latest version.

Solution

As of Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier, this issue can be exploited by attackers to configure Jenkins to build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with.
Pipelines is not affected by CVE-2018-5682 or CVE-2022-43407

Timeline

Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 17:40:00 UTC

References