CVE-2023-3315 – org.jenkins-ci.plugins:teamconcert

Package

Manager: maven
Name: org.jenkins-ci.plugins:teamconcert
Vulnerable Version: >=0 <2.4.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00176 pctl0.39431

Details

Jenkins Team Concert Plugin does not perform permission checks in methods implementing form validation Jenkins Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.

Metadata

Created: 2023-06-19T21:30:21Z
Modified: 2023-06-20T16:35:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-hcpw-v727-64qh/GHSA-hcpw-v727-64qh.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-hcpw-v727-64qh
Finding: F039
Auto approve: 1