Описание
Missing permission check in Perfecto Plugin
Perfecto Plugin 1.17 and earlier does not perform a permission check in a method implementing a connection test.
This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password.
Perfecto Plugin 1.18 requires Overall/Administer permission to perform a connection test.
Пакеты
Наименование
io.jenkins.plugins:perfecto
maven
Затронутые версииВерсия исправления
<= 1.17
1.18
Связанные уязвимости
CVSS3: 4.3
nvd
больше 5 лет назад
A missing permission check in Jenkins Perfecto Plugin 1.17 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials.