GHSA-7qp2-rgxr-29q4

Suggest an improvement
Source
https://github.com/advisories/GHSA-7qp2-rgxr-29q4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7qp2-rgxr-29q4/GHSA-7qp2-rgxr-29q4.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-7qp2-rgxr-29q4
Aliases
  • CVE-2021-22513
Published
2022-05-24T17:46:58Z
Modified
2024-01-02T05:48:52.242293Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Missing permission checks in Micro Focus Application Automation Tools Plugin
Details

Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specified username and password.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Micro Focus Application Automation Tools Plugin 6.8 requires POST requests and Overall/Administer permission for the affected form validation methods.

Database specific
{
    "nvd_published_at": "2021-04-08T22:15:00Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-13T19:14:11Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:hp-application-automation-tools-plugin

Package

Name
org.jenkins-ci.plugins:hp-application-automation-tools-plugin
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/hp-application-automation-tools-plugin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.2.3-beta

Affected versions

1.*

1.0
1.0.2

2.*

2.0.0
2.0.2

3.*

3.0.5
3.0.6
3.0.7

4.*

4.0
4.0.1
4.5.0

5.*

5.0.0-beta-1
5.0
5.1-beta-1
5.1
5.1.0.1-beta
5.1.0.2-beta
5.2
5.2.0.1-beta
5.3
5.3.1-beta
5.3.2-beta
5.3.3-beta
5.3.4-beta
5.4
5.4.1-beta
5.4.2-beta
5.5
5.5.1-beta
5.5.2-beta
5.5.3-beta
5.5.4-beta
5.6
5.6.1
5.6.2
5.6.3-beta
5.6.4-beta
5.6.5-beta
5.7
5.7.1-beta
5.7.2-beta
5.7.3-beta
5.7.4-beta
5.8
5.8.1-beta
5.8.2-beta
5.8.3-beta
5.8.4-beta
5.8.5-beta
5.8.6-beta
5.8.7-beta
5.8.8-beta
5.9
5.9.1-beta
5.9.2-beta
5.9.3-beta

6.*

6.0
6.0.1-beta
6.0.2-beta
6.0.3-beta
6.0.4-beta
6.0.5-beta
6.1
6.1.1-beta
6.1.2-beta
6.1.3-beta
6.1.4-beta
6.2
6.2.1-beta
6.2.2-beta
6.2.3-beta
6.2.4-beta
6.2.5-beta
6.2.6-beta
6.2.7-beta
6.2.8-beta
6.3
6.3.1-beta
6.3.2-beta
6.3.3-beta
6.3.4-beta
6.4
6.4.1-beta
6.4.2-beta
6.4.3-beta
6.5
6.6
6.6.1-beta
6.6.2-beta
6.6.3-beta
6.6.4-beta
6.6.5-beta
6.7
6.7.1-beta
6.8
6.8.1-beta
6.8.2-beta
6.9

7.*

7.0-beta
7.0
7.0.1-beta
7.0.2-beta
7.0.3-beta
7.0.4-beta
7.0.5-beta
7.0.6-beta
7.0.7-beta
7.0.8-beta
7.0.9-beta
7.1
7.1.1-beta
7.1.2-beta
7.2
7.2.1-beta
7.2.2-beta

Database specific

{
    "last_known_affected_version_range": "<= 6.7"
}