CVE-2021-22513 — Missing permission checks in Micro Focus Application Automation Tools Plugin

Description

Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specified username and password. Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Micro Focus Application Automation Tools Plugin 6.8 requires POST requests and Overall/Administer permission for the affected form validation methods.

How to fix CVE-2021-22513

To remediate CVE-2021-22513, upgrade the affected package to a fixed version below.

—upgrade to 7.2.3-beta or later

Is CVE-2021-22513 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 7.2.3-beta

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-22513
PATCHgithub.com/jenkinsci/hpe-application-automation-tools-plugin
WEBgithub.com/jenkinsci/hpe-application-automation-tools-plugin/commit/497a143d9a95e9c937501ca329fe0dae22a0d9cd
WEBwww.jenkins.io/security/advisory/2021-04-07/#SECURITY-2132