Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03ajN4LXhtNGotamZqN84AAn3E

Missing permission checks in Jenkins Warnings Next Generation Plugin allow listing workspace contents

Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A sequence of requests can be used to effectively list workspace contents.

Jenkins Warnings Next Generation Plugin 8.5.0 requires Item/Configure permission to validate patterns with workspace contents.

Permalink: https://github.com/advisories/GHSA-7j3x-xm4j-jfj7
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ajN4LXhtNGotamZqN84AAn3E
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 7 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-7j3x-xm4j-jfj7, CVE-2021-21626
References:

Blast Radius: 1.0

Affected Packages

maven:io.jenkins.plugins:warnings-ng

Affected Version Ranges: <= 8.4.4
Fixed in: 8.5.0