Missing permission checks in Jenkins Fortify on Demand Plugin

2022-05-2417:22:19

Google

osv.dev

0.001 Low

EPSS

Percentile

22.0%

JSON

A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.

This form validation method requires appropriate permission in Fortify on Demand Plugin 6.0.1.

CPENameOperatorVersion
org.jenkins-ci.plugins:fortify-on-demand-uploadereq1.02
org.jenkins-ci.plugins:fortify-on-demand-uploadereq3.0.4
org.jenkins-ci.plugins:fortify-on-demand-uploadereq1.09
org.jenkins-ci.plugins:fortify-on-demand-uploadereq4.0.1
org.jenkins-ci.plugins:fortify-on-demand-uploadereq3.0.8
org.jenkins-ci.plugins:fortify-on-demand-uploadereq2.0.4
org.jenkins-ci.plugins:fortify-on-demand-uploadereq3.0.2
org.jenkins-ci.plugins:fortify-on-demand-uploadereq2.0.8
org.jenkins-ci.plugins:fortify-on-demand-uploadereq1.07
org.jenkins-ci.plugins:fortify-on-demand-uploadereq1.01

Name	Operator	Version
org.jenkins-ci.plugins:fortify-on-demand-uploader	eq	1.02
org.jenkins-ci.plugins:fortify-on-demand-uploader	eq	3.0.4
org.jenkins-ci.plugins:fortify-on-demand-uploader	eq	1.09
org.jenkins-ci.plugins:fortify-on-demand-uploader	eq	4.0.1
org.jenkins-ci.plugins:fortify-on-demand-uploader	eq	3.0.8
org.jenkins-ci.plugins:fortify-on-demand-uploader	eq	2.0.4
org.jenkins-ci.plugins:fortify-on-demand-uploader	eq	3.0.2
org.jenkins-ci.plugins:fortify-on-demand-uploader	eq	2.0.8
org.jenkins-ci.plugins:fortify-on-demand-uploader	eq	1.07
org.jenkins-ci.plugins:fortify-on-demand-uploader	eq	1.01