[MAVEN:GHSA-8PV9-QH96-9HC6] Jenkins does not perform a permission check in an HTTP endpoint

Severity Moderate

Affected Packages 3

Fixed Packages 3

CVEs 1

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "My Views".

Jenkins 2.471, LTS 2.452.4, LTS 2.462.1 restricts access to a user’s "My Views" to the owning user and administrators.

Package	Affected Version
pkg:maven/org.jenkins-ci.main/jenkins-core	>= 2.470, < 2.471
pkg:maven/org.jenkins-ci.main/jenkins-core	>= 2.460, < 2.462.1
pkg:maven/org.jenkins-ci.main/jenkins-core	< 2.452.4

Package	Fixed Version
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.471
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.462.1
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.452.4

ID

MAVEN:GHSA-8PV9-QH96-9HC6

Severity

moderate

URL

https://github.com/advisories/GHSA-8pv9-qh96-9hc6

Published

2024-08-07T15:30:42
(6 weeks ago)

Modified

2024-08-07T18:26:59
(6 weeks ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2024-43045
			https://www.jenkins.io/security/advisory/2024-08-07/#SECURITY-3349
			https://github.com/jenkinsci/jenkins/commit/0c13259cebc6a780fee7825838f4dd98ece8e68a
			https://github.com/jenkinsci/jenkins/commit/3752f406bfef764e4954238acf44343169ae5799
			https://github.com/jenkinsci/jenkins/commit/efece77d759b38c95b39b191051a8203bbc2f428
			https://github.com/advisories/GHSA-8pv9-qh96-9hc6

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	>= 2.470 < 2.471
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.471
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	>= 2.460 < 2.462.1
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.462.1
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	< 2.452.4
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.452.4

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date