Описание
Missing permission checks in Jenkins Warnings Next Generation Plugin allow listing workspace contents
Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A sequence of requests can be used to effectively list workspace contents.
Jenkins Warnings Next Generation Plugin 8.5.0 requires Item/Configure permission to validate patterns with workspace contents.
Пакеты
io.jenkins.plugins:warnings-ng
<= 8.4.4
8.5.0
Связанные уязвимости
Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform a permission check in methods implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents.