CVE-2017-1000086 – org.jenkins-ci.plugins:periodicbackup

Package

Manager: maven
Name: org.jenkins-ci.plugins:periodicbackup
Vulnerable Version: >=0 <1.5

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00088 pctl0.26091

Details

Missing permission checks in Jenkins Periodic Backup Plugin allow every user to change settings The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.

Metadata

Created: 2022-05-13T01:18:19Z
Modified: 2024-01-30T21:58:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5293-3fgp-cr3x/GHSA-5293-3fgp-cr3x.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-5293-3fgp-cr3x
Finding: F039
Auto approve: 1