Lucene search

GitHub Advisory DatabaseGHSA-RQQX-FVQX-539G

HistoryJul 28, 2022 - 12:00 a.m.

Jenkins Deployer Framework Plugin allows attackers with Item/Read permission to read deployment logs

2022-07-2800:00:42

CWE-862

GitHub Advisory Database

github.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

22.0%

JSON

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to read deployment logs.

Deployer Framework Plugin 86.v7b_a_4a_55b_f3ec requires Deploy Now/Deploy permission to read deployment logs.

Affected configurations

Vulners

Node

koala-frameworkkoala_frameworkRange≤85.v1d1888e8c021

CPENameOperatorVersion
org.jenkins-ci.plugins:deployer-frameworkle85.v1d1888e8c021

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:deployer-framework	le	85.v1d1888e8c021

References

www.openwall.com/lists/oss-security/2022/07/27/1

github.com/advisories/GHSA-rqqx-fvqx-539g

github.com/jenkinsci/deployer-framework-plugin/commit/7ba4a55bf3ec567ee5325ea7b24b4086ac1cb3ad

nvd.nist.gov/vuln/detail/CVE-2022-36891

www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2205

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

22.0%

JSON

Related for GHSA-RQQX-FVQX-539G