Описание
Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds
Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint.
This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
Jenkins CloudBees CD Plugin requires Item/Build permission to schedule builds via its HTTP endpoint.
Пакеты
Наименование
org.jenkins-ci.plugins:electricflow
maven
Затронутые версииВерсия исправления
< 1.1.18.1
1.1.18.1
Наименование
org.jenkins-ci.plugins:electricflow
maven
Затронутые версииВерсия исправления
>= 1.1.19, < 1.1.22
1.1.22
Связанные уязвимости
CVSS3: 4.3
nvd
почти 5 лет назад
Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.