// For flags

CVE-2022-43410

jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access.

Jenkins Mercurial Plugin versiones 1251.va_b_121f184902 y anteriores, proporciona informaciĆ³n sobre los trabajos que se activaron o programaron para el sondeo mediante su endpoint de webhook, incluidos los trabajos a los que el usuario no presenta permiso para acceder

An information leak was found in a Jenkins plugin. This issue could allow an unauthenticated remote attacker to issue GET requests. The greatest impact is to confidentiality.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-10-18 CVE Reserved
  • 2022-10-19 CVE Published
  • 2024-05-11 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Jenkins
Search vendor "Jenkins"
 Mercurial
Search vendor "Jenkins" for product "Mercurial"
 <= 1251.va_b_121f184902
Search vendor "Jenkins" for product "Mercurial" and version " <= 1251.va_b_121f184902"
jenkins
Affected