CVE-2024-52551 – org.jenkinsci.plugins:pipeline-model-parent

Package

Manager: maven
Name: org.jenkinsci.plugins:pipeline-model-parent
Vulnerable Version: >=0 <2.2218.v56d0cda

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00108 pctl0.29703

Details

Restarting a run with revoked script approval allowed by Jenkins Pipeline: Declarative Plugin Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved. This allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved. Pipeline: Declarative Plugin 2.2218.v56d0cda_37c72 refuses to restart a build whose main (Jenkinsfile) script is unapproved.

Metadata

Created: 2024-11-13T21:30:38Z
Modified: 2024-11-14T15:43:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-p2qq-c693-q53w/GHSA-p2qq-c693-q53w.json
CWE IDs: ["CWE-276", "CWE-285"]
Alternative ID: GHSA-p2qq-c693-q53w
Finding: F159
Auto approve: 1