Описание
Jenkins ElectricFlow Plugin Missing permission checks
Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers.
These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method.
Пакеты
org.jenkins-ci.plugins:electricflow
<= 1.1.6
1.1.7
Связанные уязвимости
Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances.