Headline

GHSA-565r-pf5q-45v6: Jenkins Missing Permission Check

Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration.

Jenkins 2.504, LTS 2.492.3 requires Computer/Extended Read permission to copy an agent.

2 months ago

ghsa

Open in Source

#vulnerability #auth

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

ghsa: Latest News

GHSA-2x5j-vhc8-9cwm: CIRCL-Fourq: Missing and wrong validation can lead to incorrect results

6 hours ago

ghsa

GHSA-rh67-4c8j-hjjh: Nautobot may allows uploaded media files to be accessible without authentication

6 hours ago

ghsa

GHSA-68cf-j696-wvv9: GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx

7 hours ago

ghsa

GHSA-wjw6-95h5-4jpx: Nautobot vulnerable to secrets exposure and data manipulation through Jinja2 templating

7 hours ago

ghsa

GHSA-x958-rvg6-956w: matrix-sdk-crypto vulnerable to sender of encrypted events being spoofed by homeserver administrator

7 hours ago

ghsa