Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01MjkzLTNmZ3AtY3IzeM37rA
Missing permission checks in Jenkins Periodic Backup Plugin allow every user to change settings
The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.
Permalink: https://github.com/advisories/GHSA-5293-3fgp-cr3xJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01MjkzLTNmZ3AtY3IzeM37rA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 3 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-5293-3fgp-cr3x, CVE-2017-1000086
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000086
- https://jenkins.io/security/advisory/2017-07-10/
- http://www.securityfocus.com/bid/100437
- https://github.com/advisories/GHSA-5293-3fgp-cr3x
Affected Packages
maven:org.jenkins-ci.plugins:periodicbackup
Affected Version Ranges: <= 1.4Fixed in: 1.5