GHSA-3jp6-q9cg-rvgj

Suggest an improvement
Source
https://github.com/advisories/GHSA-3jp6-q9cg-rvgj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-3jp6-q9cg-rvgj/GHSA-3jp6-q9cg-rvgj.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3jp6-q9cg-rvgj
Aliases
Published
2022-09-22T00:00:28Z
Modified
2024-02-22T05:20:37.384597Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Missing permission check in Jenkins build-publisher Plugin
Details

Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers. At this time there is no known workaround or fix. The Build-Publisher plugin distribution has been suspended.

Database specific
{
    "nvd_published_at": "2022-09-21T16:15:00Z",
    "cwe_ids": [
        "CWE-862",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T14:26:48Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:build-publisher

Package

Name
org.jenkins-ci.plugins:build-publisher
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/build-publisher

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.22

Affected versions

1.*

1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22