1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-3064

[JENKINS:SECURITY-3064] Disabled permissions can be granted by `ssh2easy`

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

ssh2easy 1.4 and earlier does not verify that permissions configured to be granted are enabled.
This may allow users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.

NOTE: As a workaround, administrators can save the permission configuration after disabling a permission, as that will overwrite any permission assignments of disabled permissions.

The affected features have been removed without replacement in ssh2easy 1.6.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/ssh2easy <= 1.4
pkg:github/jenkinsci/ssh2easy-plugin <= 1.4
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/ssh2easy = 1.6
pkg:github/jenkinsci/ssh2easy-plugin = 1.6
ID
JENKINS:SECURITY-3064
Severity
medium
Published
2023-09-06T00:00:00
(12 months ago)
Modified
2023-09-06T00:00:00
(12 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository ssh2easy repository https://github.com/jenkinsci/ssh2easy-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/ssh2easy org.jenkins-ci.plugins ssh2easy <= 1.4
Fixed pkg:maven/org.jenkins-ci.plugins/ssh2easy org.jenkins-ci.plugins ssh2easy = 1.6
Affected pkg:github/jenkinsci/ssh2easy-plugin jenkinsci ssh2easy-plugin <= 1.4
Fixed pkg:github/jenkinsci/ssh2easy-plugin jenkinsci ssh2easy-plugin = 1.6
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date