Описание
Missing permission check in Jenkins requests-plugin Plugin allows viewing pending requests
Jenkins requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to view the list of pending requests.
Jenkins requests-plugin Plugin 2.2.7 requires Overall/Administer permission to view the list of pending requests.
The previous sentence originally stated that Overall/Read permission was newly required. This statement was incorrect and has been fixed on 2021-07-05.
Пакеты
org.jenkins-ci.plugins:requests
<= 2.2.6
2.2.7
Связанные уязвимости
A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests.