GHSA-2959-fj73-hm8p

Source

https://github.com/advisories/GHSA-2959-fj73-hm8p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2959-fj73-hm8p/GHSA-2959-fj73-hm8p.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-2959-fj73-hm8p

Aliases

CVE-2021-21645

Published

2022-05-24T17:48:06Z

Modified

2024-01-02T05:50:54.054150Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs

Details

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate configuration file IDs.

An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 requires the appropriate permissions.

Database specific

{
    "nvd_published_at": "2021-04-21T15:15:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2022-12-13T19:26:47Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:config-file-provider

Package

Name: org.jenkins-ci.plugins:config-file-provider; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/config-file-provider

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.7.1

Affected versions

1.*

1.0

1.1

1.2

1.5

1.6.1

1.9.1

2.*

2.0

2.1

2.1.1

2.2.1

2.3

2.4

2.5

2.5.1

2.6

2.6.1

2.6.2

2.7

2.7.1

2.7.4

2.7.5

2.8.1

2.9.2

2.9.3

2.10.0

2.10.1

2.11

2.13

2.14-beta

2.14.1-beta

2.14.2-beta

2.15

2.15.1

2.15.2-beta

2.15.3-beta

2.15.3

2.15.4

2.15.5

2.15.6

2.15.7

2.16.0

2.16.1

2.16.2

2.16.3

2.16.4

2.17

2.18

3.*

3.0

3.1

3.2

3.3

3.4

3.4.1

3.5

3.6

3.6.2

3.6.3

3.7.0

Database specific

last_known_affected_version_range

"<= 3.7.0"