Описание
Jenkins Code Dx Plugin missing permission checks
Jenkins Code Dx Plugin 3.1.0 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.
Code Dx Plugin 4.0.0 requires Item/Configure permission for this form validation method and ensures that only files located within the workspace can be checked.
Пакеты
Наименование
org.jenkins-ci.plugins:codedx
maven
Затронутые версииВерсия исправления
< 4.0.0
4.0.0
Связанные уязвимости
CVSS3: 4.3
nvd
больше 2 лет назад
A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.