Описание
If an attempt is made to create an item of a type prohibited by ACL#hasCreatePermission2 or TopLevelItemDescriptor#isApplicableIn(ItemGroup) through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.
A flaw was found in Jenkins. When attempting to create an item prohibited by ACL#hasCreatePermission2 or TopLevelItemDescriptor#isApplicableIn(ItemGroup) through the Jenkins CLI or the REST API, if either of these checks fail, Jenkins creates the item in memory and only deletes it from disk. This may allow an attacker with the Item/Configure permission to save the item, effectively bypassing the item creation restriction.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Developer Hub | rhdh-operator-container | Not affected | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Not affected | ||
| OCP-Tools-4.12-RHEL-8 | jenkins | Fixed | RHSA-2024:8886 | 05.11.2024 |
| OCP-Tools-4.12-RHEL-8 | jenkins-2-plugins | Fixed | RHSA-2024:8886 | 05.11.2024 |
| OCP-Tools-4.13-RHEL-8 | jenkins | Fixed | RHSA-2024:8887 | 05.11.2024 |
| OCP-Tools-4.13-RHEL-8 | jenkins-2-plugins | Fixed | RHSA-2024:8887 | 05.11.2024 |
| OCP-Tools-4.14-RHEL-8 | jenkins | Fixed | RHSA-2024:8885 | 05.11.2024 |
| OCP-Tools-4.14-RHEL-8 | jenkins-2-plugins | Fixed | RHSA-2024:8885 | 05.11.2024 |
| OCP-Tools-4.15-RHEL-8 | jenkins | Fixed | RHSA-2024:8884 | 05.11.2024 |
| OCP-Tools-4.15-RHEL-8 | jenkins-2-plugins | Fixed | RHSA-2024:8884 | 05.11.2024 |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.
If an attempt is made to create an item of a type prohibited by `ACL#h ...
Jenkins item creation restriction bypass vulnerability
Уязвимость сервера автоматизации Jenkins, связанная с недостатками контроля доступа, позволяющая нарушителю обойти ограничения и создать временный элемент
5.3 Medium
CVSS3