Information Exposure Affecting org.jenkins-ci.plugins:script-security package, versions [,1362.1364.v4cf2dc5d8776)[1365.v4778ca_84b_de5,1365.1367.va_3b_b_89f8a_95b_)[1366.vd44b_49a_5c85c,1368.vb_b_402e3547e7)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGJENKINSCIPLUGINS-8376683
  • published14 Nov 2024
  • disclosed14 Nov 2024
  • creditUnknown

Introduced: 14 Nov 2024

CVE-2024-52549  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade org.jenkins-ci.plugins:script-security to version 1362.1364.v4cf2dc5d8776, 1365.1367.va_3b_b_89f8a_95b_, 1368.vb_b_402e3547e7 or higher.

Overview

org.jenkins-ci.plugins:script-security is a package that allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Affected versions of this package are vulnerable to Information Exposure due to missing checks of permissions in the method implementing form validation, which allows attackers with Overall/Read permission to check for the existence of files on the controller file system.

CVSS Scores

version 4.0
version 3.1