Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yOTU5LWZqNzMtaG04cM4AAoNq
Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration file IDs.
An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 requires the appropriate permissions.
Permalink: https://github.com/advisories/GHSA-2959-fj73-hm8pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yOTU5LWZqNzMtaG04cM4AAoNq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-2959-fj73-hm8p, CVE-2021-21645
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21645
- https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2203
- http://www.openwall.com/lists/oss-security/2021/04/21/2
- https://github.com/jenkinsci/config-file-provider-plugin/commit/b7f3c5150ad557e86414122c69be20075aee27fa
- https://github.com/advisories/GHSA-2959-fj73-hm8p
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:config-file-provider
Affected Version Ranges: <= 3.7.0Fixed in: 3.7.1