Jenkins AppSpider Plugin missing permission checks

2024-03-0618:30:38

Google

osv.dev

jenkins

appspider

plugin

security

permission checks

http endpoints

attackers

scan config

engine group

client names

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.

CPENameOperatorVersion
com.rapid7:jenkinsci-appspider-plugineq1.0.2
com.rapid7:jenkinsci-appspider-plugineq1.0.12
com.rapid7:jenkinsci-appspider-plugineq1.0.4
com.rapid7:jenkinsci-appspider-plugineq1.0.5
com.rapid7:jenkinsci-appspider-plugineq1.0.11
com.rapid7:jenkinsci-appspider-plugineq1.0.15
com.rapid7:jenkinsci-appspider-plugineq1.0.16
com.rapid7:jenkinsci-appspider-plugineq1.0.8
com.rapid7:jenkinsci-appspider-plugineq1.0.10
com.rapid7:jenkinsci-appspider-plugineq1.0.3

Name	Operator	Version
com.rapid7:jenkinsci-appspider-plugin	eq	1.0.2
com.rapid7:jenkinsci-appspider-plugin	eq	1.0.12
com.rapid7:jenkinsci-appspider-plugin	eq	1.0.4
com.rapid7:jenkinsci-appspider-plugin	eq	1.0.5
com.rapid7:jenkinsci-appspider-plugin	eq	1.0.11
com.rapid7:jenkinsci-appspider-plugin	eq	1.0.15
com.rapid7:jenkinsci-appspider-plugin	eq	1.0.16
com.rapid7:jenkinsci-appspider-plugin	eq	1.0.8
com.rapid7:jenkinsci-appspider-plugin	eq	1.0.10
com.rapid7:jenkinsci-appspider-plugin	eq	1.0.3