Описание
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
Отчет
This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools & Services.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | jenkins | Fix deferred | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel8 | Affected | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
4.3 Medium
CVSS3
Связанные уязвимости
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.
Jenkins has a build information disclosure vulnerability through Run Parameter
4.3 Medium
CVSS3