Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-rxtr-936k-h3cc
Vulnerability ID VCID-rxtr-936k-h3cc
Aliases CVE-2022-43408
GHSA-g975-f26h-93g8
Summary Jenkins Pipeline: Stage View Plugin allows CSRF protection bypass of any target URL in Jenkins Jenkins Pipeline: Stage View Plugin provides a visualization of Pipeline builds. It also allows users to interact with `input` steps from Pipeline: Input Step Plugin. Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of `input` steps when using it to generate URLs to proceed or abort Pipeline builds. This allows attackers able to configure Pipelines to specify `input` step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins. Pipeline: Stage View Plugin 2.27 correctly encodes the ID of `input` steps when using it to generate URLs to proceed or abort Pipeline builds.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-838 Inappropriate Encoding for Output Context
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43408.json
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2022-43408
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-g975-f26h-93g8
cvssv3.1 8.0 https://github.com/jenkinsci/pipeline-stage-view-plugin/commit/cee275109ee748fa9f599ec60159807a28a2933f
generic_textual HIGH https://github.com/jenkinsci/pipeline-stage-view-plugin/commit/cee275109ee748fa9f599ec60159807a28a2933f
cvssv3.1 8.0 https://nvd.nist.gov/vuln/detail/CVE-2022-43408
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-43408
cvssv3.1 6.5 https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828
cvssv3.1 8.0 https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828
generic_textual HIGH https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828
ssvc Track https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828
cvssv3.1 6.5 http://www.openwall.com/lists/oss-security/2022/10/19/3
cvssv3.1 8.0 http://www.openwall.com/lists/oss-security/2022/10/19/3
generic_textual HIGH http://www.openwall.com/lists/oss-security/2022/10/19/3
ssvc Track http://www.openwall.com/lists/oss-security/2022/10/19/3
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43408.json
https://api.first.org/data/v1/epss?cve=CVE-2022-43408
https://github.com/jenkinsci/pipeline-stage-view-plugin/commit/cee275109ee748fa9f599ec60159807a28a2933f
https://nvd.nist.gov/vuln/detail/CVE-2022-43408
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828
http://www.openwall.com/lists/oss-security/2022/10/19/3
2136388 https://bugzilla.redhat.com/show_bug.cgi?id=2136388
GHSA-g975-f26h-93g8 https://github.com/advisories/GHSA-g975-f26h-93g8
RHSA-2023:0560 https://access.redhat.com/errata/RHSA-2023:0560
RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777
RHSA-2023:1064 https://access.redhat.com/errata/RHSA-2023:1064
RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43408.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/pipeline-stage-view-plugin/commit/cee275109ee748fa9f599ec60159807a28a2933f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-43408
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:24:25Z/ Found at https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at http://www.openwall.com/lists/oss-security/2022/10/19/3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2022/10/19/3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:24:25Z/ Found at http://www.openwall.com/lists/oss-security/2022/10/19/3
Exploit Prediction Scoring System (EPSS)
Percentile 0.03347
EPSS Score 0.00015
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:04:55.833361+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-g975-f26h-93g8/GHSA-g975-f26h-93g8.json 38.0.0