1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2309

[JENKINS:SECURITY-2309] Missing permission check in `electricflow` allows scheduling builds

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

electricflow 1.1.21 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

electricflow 1.1.22 requires Item/Build permission to schedule builds via its HTTP endpoint.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/electricflow <= 1.1.21
pkg:github/jenkinsci/electricflow-plugin <= 1.1.21
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/electricflow = 1.1.22
pkg:github/jenkinsci/electricflow-plugin = 1.1.22
ID
JENKINS:SECURITY-2309
Severity
medium
Published
2021-04-21T00:00:00
(3 years ago)
Modified
2021-04-21T00:00:00
(3 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository electricflow repository https://github.com/jenkinsci/electricflow-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/electricflow org.jenkins-ci.plugins electricflow <= 1.1.21
Fixed pkg:maven/org.jenkins-ci.plugins/electricflow org.jenkins-ci.plugins electricflow = 1.1.22
Affected pkg:github/jenkinsci/electricflow-plugin jenkinsci electricflow-plugin <= 1.1.21
Fixed pkg:github/jenkinsci/electricflow-plugin jenkinsci electricflow-plugin = 1.1.22
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date