Access Control Bypass Affecting org.jenkins-ci.plugins:rundeck package, versions [0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.52% (41st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGJENKINSCIPLUGINS-3030364
  • published22 Sept 2022
  • disclosed22 Sept 2022
  • creditDaniel Beck, CloudBees, Inc.

Introduced: 22 Sep 2022

CVE-2022-41233  (opens in a new tab)
CWE-284  (opens in a new tab)

How to fix?

There is no fixed version for org.jenkins-ci.plugins:rundeck.

Overview

org.jenkins-ci.plugins:rundeck is a Notifier that will talk to a RunDeck instance (via its HTTP API) to schedule a job execution on RunDeck after a successful build on Jenkins.

Affected versions of this package are vulnerable to Access Control Bypass. Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints.This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.As of publication of this advisory, there is no fix.

CVSS Base Scores

version 3.1