CVE-2020-2323 – io.jenkins.plugins:chaos-monkey

Package

Manager: maven
Name: io.jenkins.plugins:chaos-monkey
Vulnerable Version: >=0 <0.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00206 pctl0.42841

Details

Missing permission checks in Jenkins Chaos Monkey Plugin Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint. This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions. Jenkins Chaos Monkey Plugin 0.4.1 requires Overall/Administer permission to access the Chaos Monkey page and to see the history of actions.

Metadata

Created: 2022-05-24T17:35:09Z
Modified: 2023-10-27T13:15:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hx53-635r-vmv8/GHSA-hx53-635r-vmv8.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-hx53-635r-vmv8
Finding: F039
Auto approve: 1