CVE-2022-43407: 
Java vulnerability analysis and mitigation

CVE-2022-43407 is a high-severity vulnerability affecting the Pipeline: Input Step Plugin in Jenkins. The vulnerability was discovered and disclosed on October 19, 2022. It affects Pipeline: Input Step Plugin versions 451.vf1aa4f405289 and earlier, where the plugin fails to properly restrict or sanitize the optionally specified ID of the input step (Jenkins Advisory).

The vulnerability exists because the ID parameter used for URLs that process user interactions for input steps (proceed or abort) is not correctly encoded. This implementation flaw allows the construction of malformed URLs that could bypass CSRF protection mechanisms. The vulnerability has been assigned a severity rating of High according to the CVSS scoring system (Jenkins Advisory).

This vulnerability allows attackers with the ability to configure Pipelines to construct URLs that would bypass the CSRF protection of any target URL in Jenkins when the input step is interacted with. This could potentially lead to unauthorized actions being performed on behalf of other users (Jenkins Advisory).

The vulnerability has been fixed in Pipeline: Input Step Plugin version 456.vd8a957db5b_e9, which limits the characters that can be used for the ID of input steps to alphanumeric characters and URL-safe punctuation. Administrators are advised to update both Pipeline: Input Step Plugin and Pipeline: Declarative Plugin simultaneously, preferably while no Pipelines are running. Pipelines with input steps having IDs with prohibited characters will fail with an error after the update (Jenkins Advisory, Red Hat Advisory).