[JENKINS:SECURITY-1422] Missing permission check in `workflow-cps-global-lib`

Severity Medium

Affected Packages 2

Fixed Packages 2

CVEs 1

workflow-cps-global-lib provides form validation to determine whether the revision (e.g. commit, tag, or branch name) specified for a global library exists in the repository.
This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an attacker-specified revision exists in an SCM repository configured for use in an existing shared library.

workflow-cps-global-lib now performs the appropriate permission check.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/workflow-cps-global-lib	<= 2.14
pkg:github/jenkinsci/workflow-cps-global-lib-plugin	<= 2.14

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/workflow-cps-global-lib	= 2.15
pkg:github/jenkinsci/workflow-cps-global-lib-plugin	= 2.15

ID

JENKINS:SECURITY-1422

Severity

medium

Published

2019-07-31T00:00:00
(5 years ago)

Modified

2019-07-31T00:00:00
(5 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-9X5V-8352-244G

Source	# ID	Name	URL
Plugin repository		workflow-cps-global-lib repository	https://github.com/jenkinsci/workflow-cps-global-lib-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/workflow-cps-global-lib	org.jenkins-ci.plugins	workflow-cps-global-lib	<= 2.14
Fixed	pkg:maven/org.jenkins-ci.plugins/workflow-cps-global-lib	org.jenkins-ci.plugins	workflow-cps-global-lib	= 2.15
Affected	pkg:github/jenkinsci/workflow-cps-global-lib-plugin	jenkinsci	workflow-cps-global-lib-plugin	<= 2.14
Fixed	pkg:github/jenkinsci/workflow-cps-global-lib-plugin	jenkinsci	workflow-cps-global-lib-plugin	= 2.15

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date