1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2246

[JENKINS:SECURITY-2246] Missing permission check in `cloud-stats`

Severity Low
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

cloud-stats 0.26 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

cloud-stats 0.27 requires Overall/Administer permission to access provisioning exception error messages.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/cloud-stats <= 0.26
pkg:github/jenkinsci/cloud-stats-plugin <= 0.26
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/cloud-stats = 0.27
pkg:github/jenkinsci/cloud-stats-plugin = 0.27
ID
JENKINS:SECURITY-2246
Severity
low
Published
2021-03-30T00:00:00
(3 years ago)
Modified
2021-03-30T00:00:00
(3 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository cloud-stats repository https://github.com/jenkinsci/cloud-stats-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/cloud-stats org.jenkins-ci.plugins cloud-stats <= 0.26
Fixed pkg:maven/org.jenkins-ci.plugins/cloud-stats org.jenkins-ci.plugins cloud-stats = 0.27
Affected pkg:github/jenkinsci/cloud-stats-plugin jenkinsci cloud-stats-plugin <= 0.26
Fixed pkg:github/jenkinsci/cloud-stats-plugin jenkinsci cloud-stats-plugin = 0.27
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date