Fluid Attacks Database

Description

Rebuilding a run with revoked script approval allowed by Jenkins Pipeline: Groovy Plugin Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. This allows attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. Pipeline: Groovy Plugin 3993.v3e20a_37282f8 refuses to rebuild a build whose main (Jenkinsfile) script is unapproved.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.plugins.workflow:workflow-cps	>=0 <3993.v3e20a	3993.v3e20a

Aliases

1. CVE-2024-525502. NVD-2024-525503. OSV-2024-525504. GCVE-2024-52550

References

1. https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-33622. https://github.com/Anton-ai111/CVE-2024-52550

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.