GHSA-vc7g-4269-f7hw

Suggest an improvement
Source
https://github.com/advisories/GHSA-vc7g-4269-f7hw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vc7g-4269-f7hw/GHSA-vc7g-4269-f7hw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vc7g-4269-f7hw
Aliases
Published
2022-05-24T17:28:25Z
Modified
2024-01-02T05:54:06.659579Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Missing permission check in Blue Ocean Plugin
Details

Updated 2020-09-16

This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it.

Original Description

Blue Ocean Plugin 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Blue Ocean Plugin 1.23.3 requires Item/Create permission to perform these connection tests.

References

Affected packages

Maven / io.jenkins.blueocean:blueocean

Package

Name
io.jenkins.blueocean:blueocean
View open source insights on deps.dev
Purl
pkg:maven/io.jenkins.blueocean/blueocean

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.23.3

Affected versions

1.*

1.0-alpha-1
1.0-alpha-2
1.0-alpha-3
1.0-alpha-4
1.0-alpha-5
1.0-alpha-6
1.0-alpha-7
1.0-alpha-8
1.0-alpha-9
1.0.0-b01
1.0.0-b02
1.0.0-b03
1.0.0-b04
1.0.0-b05
1.0.0-b06
1.0.0-b07
1.0.0-b08
1.0.0-b09
1.0.0-b10
1.0.0-b11
1.0.0-b12
1.0.0-b13
1.0.0-b14
1.0.0-b15
1.0.0-b16
1.0.0-b17
1.0.0-b18
1.0.0-b19-beta-1
1.0.0-b19
1.0.0-b20-beta-1
1.0.0-b20
1.0.0-b21-beta-1
1.0.0-b21
1.0.0-b22
1.0.0-b23
1.0.0-b24
1.0.0-b25
1.0.0-rc1
1.0.0-rc2
1.0.0-rc3
1.0.0-rc4
1.0.0
1.0.1
1.1.0-beta-1
1.1.0-beta-2
1.1.0-beta-4
1.1.0-beta-8
1.1.0-beta-9
1.1.0
1.1.1
1.1.2
1.1.4
1.1.5
1.1.6
1.1.7
1.2.0-beta-1
1.2.0-beta-3
1.2.0-beta-4
1.2.0-beta-5
1.2.0-beta-6
1.2.0-beta-7
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0-beta-1
1.3.0-beta-2
1.3.0-beta-3
1.3.0-beta-4
1.3.0-beta-5
1.3.0-beta-6
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.4.0-beta-3
1.4.0-beta-4
1.4.0-beta-5
1.4.0
1.4.1
1.4.2
1.5.0-beta-1
1.5.0-beta-2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6.0-beta-1
1.6.0-beta-3
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.7.2
1.8.0
1.8.2
1.8.3
1.8.4
1.9.0
1.9.1
1.10.1
1.10.2
1.11.0
1.11.1
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.15.1
1.16.0
1.17.0
1.18.0
1.18.1
1.19.0
1.19.1
1.19.2
1.21.0
1.22.0
1.23.0
1.23.1
1.23.2

Database specific

{
    "last_known_affected_version_range": "<= 1.23.2"
}