GitHub Advisory DatabaseGHSA-9XHM-6W5P-335VJenkins Google Cloud Backup Plugin allows attackers with Overall/Read permission to request a manual backup.
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
22.2%
Jenkins Google Cloud Backup Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to request a manual backup.
Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.jenkins-ci.plugins:google-cloud-backup | le | 0.6 |
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
22.2%