Описание
Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools.
This allows to do the following:
-
Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission (
getJobScm). -
Attackers with Item/Read permission can trigger new builds of a job despite lacking Item/Build permission (
triggerBuild). -
Attackers without Overall/Read permission can retrieve the names of configured clouds (
getStatus).
MCP Server Plugin 0.86.v7d3355e6a_a_18 performs permission checks for the affected MCP tools.
Пакеты
io.jenkins.plugins:mcp-server
< 0.86.v7d3355e6a
0.86.v7d3355e6a
Связанные уязвимости
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain information about job and cloud configuration they should not be able to access.