Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03ajN4LXhtNGotamZqN84AAn3E
Missing permission checks in Jenkins Warnings Next Generation Plugin allow listing workspace contents
Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A sequence of requests can be used to effectively list workspace contents.
Jenkins Warnings Next Generation Plugin 8.5.0 requires Item/Configure permission to validate patterns with workspace contents.
Permalink: https://github.com/advisories/GHSA-7j3x-xm4j-jfj7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ajN4LXhtNGotamZqN84AAn3E
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-7j3x-xm4j-jfj7, CVE-2021-21626
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21626
- https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2041
- http://www.openwall.com/lists/oss-security/2021/03/18/5
- https://github.com/advisories/GHSA-7j3x-xm4j-jfj7
Affected Packages
maven:io.jenkins.plugins:warnings-ng
Affected Version Ranges: <= 8.4.4Fixed in: 8.5.0