Описание
Jenkins Fogbugz Plugin has missing permissions check
Jenkins Fogbugz Plugin provides a webhook endpoint at /fbTrigger/ that can be used to trigger builds of any jobs.
In Fogbugz Plugin 2.2.17 and earlier, this endpoint can be accessed by attackers with Item/Read permission, allowing them to trigger builds of jobs specified in a jobname request parameter.
Пакеты
Наименование
org.jenkins-ci.plugins:fogbugz
maven
Затронутые версииВерсия исправления
<= 2.2.17
Отсутствует
Связанные уязвимости
CVSS3: 4.3
nvd
больше 2 лет назад
A missing permission check in Jenkins Fogbugz Plugin 2.2.17 and earlier allows attackers with Item/Read permission to trigger builds of jobs specified in a 'jobname' request parameter.