Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/51861?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51861?format=api", "vulnerability_id": "VCID-1pzb-gkrf-m3hq", "summary": "Webhook endpoint discloses job names to unauthorized users in Jenkins Mercurial Plugin\nMercurial Plugin provides a webhook endpoint at `/mercurial/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. It can be accessed with GET requests and without authentication.\n\nIn Mercurial Plugin 1251.va_b_121f184902 and earlier, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Mercurial repository URLs to obtain information about the existence of jobs configured with this Mercurial repository.\n\nMercurial Plugin 1260.vdfb_723cdcc81 does not provide the names of jobs for which polling is triggered unless the user has the appropriate Item/Read permission.", "aliases": [ { "alias": "CVE-2022-43410" }, { "alias": "GHSA-j7pg-863g-22p6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79719?format=api", "purl": "pkg:maven/org.jenkins-ci.plugins/mercurial@1260.vdfb_723cdcc81", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/mercurial@1260.vdfb_723cdcc81" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/993990?format=api", "purl": "pkg:maven/org.jenkins-ci.plugins/mercurial@1251.va_b_121f184902", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1pzb-gkrf-m3hq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/mercurial@1251.va_b_121f184902" }, { "url": "http://public2.vulnerablecode.io/api/packages/97533?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1675702407-1?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1pzb-gkrf-m3hq" }, { "vulnerability": "VCID-1tha-u7dt-tfc9" }, { "vulnerability": "VCID-2zhb-qfhq-xkdp" }, { "vulnerability": "VCID-73th-g3mx-dqf1" }, { "vulnerability": "VCID-9h46-72hw-bkcr" }, { "vulnerability": "VCID-atqg-nfz6-zyfs" }, { "vulnerability": "VCID-k6wy-rwhv-ckd2" }, { "vulnerability": "VCID-n5vc-ggjg-kfc1" }, { "vulnerability": "VCID-netd-rr9e-wbg5" }, { "vulnerability": "VCID-pnge-tumu-v7e2" }, { "vulnerability": "VCID-rs56-6qvx-vucg" }, { "vulnerability": "VCID-rxtr-936k-h3cc" }, { "vulnerability": "VCID-s839-rpta-6bej" }, { "vulnerability": "VCID-tx8n-nmhx-gqg1" }, { "vulnerability": "VCID-v2pq-1qhm-4qb9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.12.1675702407-1%3Farch=el8" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43410.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43410.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43410", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66564", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66477", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66503", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66474", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66523", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66536", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66555", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66543", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66511", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66547", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43410" }, { "reference_url": "https://github.com/jenkinsci/mercurial-plugin", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/mercurial-plugin" }, { "reference_url": "https://github.com/jenkinsci/mercurial-plugin/commit/dfb723cdcc815875cdf63abd32e314ced5e95ac9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/mercurial-plugin/commit/dfb723cdcc815875cdf63abd32e314ced5e95ac9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43410", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43410" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:21:54Z/" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:21:54Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136369", "reference_id": "2136369", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136369" }, { "reference_url": "https://github.com/advisories/GHSA-j7pg-863g-22p6", "reference_id": "GHSA-j7pg-863g-22p6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j7pg-863g-22p6" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" } ], "weaknesses": [ { "cwe_id": 200, "name": "Exposure of Sensitive Information to an Unauthorized Actor", "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1pzb-gkrf-m3hq" }