[MAVEN:GHSA-436G-2F92-CVHH] Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).
Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they’ve been disabled.
This allows attackers to have greater access than they’re entitled to after the following operations took place:
A permission is granted to attackers directly or through groups.
The permission is disabled, e.g., through the script console.
Role-based Authorization Strategy Plugin 587.588.v850a_20a_30162 does not grant disabled permissions.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/role-strategy | < 587.588.v850a |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/role-strategy | = 587.588.v850a_20a_30162 |
- ID
- MAVEN:GHSA-436G-2F92-CVHH
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-436g-2f92-cvhh
- Published
-
2023-04-02T21:30:17
(17 months ago) - Modified
-
2024-01-05T17:15:00
(8 months ago) - Rights
- Maven Security Team
- Other Advisories
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/role-strategy | org.jenkins-ci.plugins | role-strategy | < 587.588.v850a | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/role-strategy | org.jenkins-ci.plugins | role-strategy | = 587.588.v850a_20a_30162 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |