CVE-2021-21626 – io.jenkins.plugins:warnings-ng

Package

Manager: maven
Name: io.jenkins.plugins:warnings-ng
Vulnerable Version: >=0 <8.5.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00031 pctl0.07238

Details

Missing permission checks in Jenkins Warnings Next Generation Plugin allow listing workspace contents Jenkins Warnings Next Generation Plugin 8.4.4 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A sequence of requests can be used to effectively list workspace contents. Jenkins Warnings Next Generation Plugin 8.5.0 requires Item/Configure permission to validate patterns with workspace contents.

Metadata

Created: 2022-05-24T17:44:48Z
Modified: 2023-10-27T13:54:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7j3x-xm4j-jfj7/GHSA-7j3x-xm4j-jfj7.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-7j3x-xm4j-jfj7
Finding: F039
Auto approve: 1