What is CVE-2022-30954?

CVE-2022-30954 refers to a vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier that allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

What is the severity of CVE-2022-30954?

CVE-2022-30954 has a severity rating of 6.5, which is considered medium.

How can I fix CVE-2022-30954?

To fix CVE-2022-30954, you should update your Jenkins Blue Ocean Plugin to version 1.25.4 or later.

Where can I find more information about CVE-2022-30954?

You can find more information about CVE-2022-30954 in the official Jenkins security advisory (https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502) and the Red Hat Security Errata (https://access.redhat.com/errata/RHSA-2023:0017).

What is the CWE ID for CVE-2022-30954?

The CWE ID for CVE-2022-30954 is 862.

Vulnerability/
CVE-2022-30954

medium

6.5

CWE

862

17/5/2022

18/5/2022

3/8/2024

CVE-2022-30954

First published: Tue May 17 2022(Updated: )

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com

Affected Software	Affected Version	How to fix
redhat/jenkins	<2-plugins-0:4.11.1683009941-1.el8	2-plugins-0:4.11.1683009941-1.el8
redhat/jenkins	<2-plugins-0:4.12.1686649756-1.el8	2-plugins-0:4.12.1686649756-1.el8
redhat/jenkins	<2-plugins-0:4.13.1686680473-1.el8	2-plugins-0:4.13.1686680473-1.el8
redhat/jenkins	<2-plugins-0:4.10.1675144701-1.el8	2-plugins-0:4.10.1675144701-1.el8
redhat/jenkins	<2-plugins-0:4.8.1672842762-1.el8	2-plugins-0:4.8.1672842762-1.el8
redhat/jenkins	<2-plugins-0:4.9.1675668922-1.el8	2-plugins-0:4.9.1675668922-1.el8
Jenkins Blue Ocean	<=1.25.3
maven/io.jenkins.blueocean:blueocean-parent	<1.25.4	1.25.4

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2022-30954?
CVE-2022-30954 refers to a vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier that allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server.
What is the severity of CVE-2022-30954?
CVE-2022-30954 has a severity rating of 6.5, which is considered medium.
How can I fix CVE-2022-30954?
To fix CVE-2022-30954, you should update your Jenkins Blue Ocean Plugin to version 1.25.4 or later.
Where can I find more information about CVE-2022-30954?
You can find more information about CVE-2022-30954 in the official Jenkins security advisory (https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502) and the Red Hat Security Errata (https://access.redhat.com/errata/RHSA-2023:0017).
What is the CWE ID for CVE-2022-30954?
The CWE ID for CVE-2022-30954 is 862.

collector/redhat-cve
collector/nvd-index
collector/nvd-api
collector/github-advisory-latest
alias/GHSA-5m4q-x28v-q6wp
alias/CVE-2022-30954
collector/nvd-cve
collector/github-advisory
agent/type
agent/first-publish-date
agent/last-modified-date
agent/softwarecombine
agent/author
agent/weakness
agent/severity
agent/references
agent/description
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
agent/tags
agent/event
collector/mitre-cve
source/MITRE
package-manager/redhat
vendor/jenkins
canonical/jenkins blue ocean
version/jenkins blue ocean/1.25.3
package-manager/maven