1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2851

[JENKINS:SECURITY-2851] Lack of authentication mechanism in `spoonscript` webhook

Severity Medium
Affected Packages 2
CVEs 1
Info Packages References Vulnerabilities

spoonscript provides a webhook endpoint at /turbo-webhook/ that can be used to trigger builds of jobs configured to use a specified repository.

In spoonscript 1.3 and earlier, this endpoint can be accessed by attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.

As of publication of this advisory, there is no fix.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/spoonscript <= 1.3
pkg:github/jenkinsci/spoonscript-plugin <= 1.3
ID
JENKINS:SECURITY-2851
Severity
medium
Published
2023-04-12T00:00:00
(17 months ago)
Modified
2023-04-12T00:00:00
(17 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository spoonscript repository https://github.com/jenkinsci/spoonscript-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/spoonscript org.jenkins-ci.plugins spoonscript <= 1.3
Affected pkg:github/jenkinsci/spoonscript-plugin jenkinsci spoonscript-plugin <= 1.3
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date