{
  "schema_version": "1.4.0",
  "id": "GHSA-mrf6-4gw6-65v3",
  "modified": "2023-10-27T20:54:28Z",
  "published": "2022-09-22T00:00:28Z",
  "aliases": [
    "CVE-2022-41242"
  ],
  "summary": "Jenkins extreme-feedback Plugin vulnerable to Missing Authorization",
  "details": "Jenkins extreme-feedback Plugin 1.7 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.\n\nAs of publication of this advisory, there is no fix.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:extreme-feedback"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41242"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/extreme-feedback-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2001"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-23T13:32:15Z",
    "nvd_published_at": "2022-09-21T16:15:00Z"
  }
}