Описание
Improper permission checks in Jenkins Swarm Plugin
Swarm Plugin adds API endpoints to add or remove agent labels. In Swarm Plugin 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remove labels of any agent.
Swarm Plugin 3.21 requires Agent/Configure permission for the affected agent to these endpoints. It no longer uses the global Swarm secret for these API endpoints.
Пакеты
Наименование
org.jenkins-ci.plugins:swarm
maven
Затронутые версииВерсия исправления
< 3.21
3.21
Связанные уязвимости
CVSS3: 4.3
nvd
больше 5 лет назад
Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels.