CVE-2017-1000390 – org.jenkins-ci.plugins:jenkins-multijob-plugin

Package

Manager: maven
Name: org.jenkins-ci.plugins:jenkins-multijob-plugin
Vulnerable Version: >=0 <1.26

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

EPSS: 0.0002 pctl0.03631

Details

Jenkins Multijob plugin did not check permissions in the Resume Build action Jenkins Multijob plugin version 1.25 and earlier did not check permissions in the Resume Build action, allowing anyone with Job/Read permission to resume the build. Multijob plugin 1.26 introduced a permission check requiring Overall/Administer. This was lowered to Job/Build in version 1.27.

Metadata

Created: 2022-05-13T01:18:20Z
Modified: 2022-12-06T21:57:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p9r2-gghq-hc57/GHSA-p9r2-gghq-hc57.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-p9r2-gghq-hc57
Finding: F039
Auto approve: 1