Описание
Jenkins Quay.io trigger Plugin webhook endpoint can be accessed without authentication
Jenkins Quay.io trigger Plugin provides a webhook endpoint at /quayio-webhook/ that can be used to trigger builds of jobs configured to use a specified repository.
In Quay.io trigger Plugin 0.1 and earlier, this endpoint can be accessed without authentication.
This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
Пакеты
Наименование
org.jenkins-ci.plugins:quayio-trigger
maven
Затронутые версииВерсия исправления
<= 0.1
Отсутствует
Связанные уязвимости
CVSS3: 5.3
nvd
почти 3 года назад
A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.