Lucene search

GitHub Advisory DatabaseGHSA-XXV9-W5HM-328J

HistoryMar 06, 2024 - 6:30 p.m.

Jenkins AppSpider Plugin missing permission checks

2024-03-0618:30:38

GitHub Advisory Database

github.com

jenkins

appspider plugin

permission checks

http

security loophole

attackers

information security

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.

Affected configurations

Vulners

Node

rapid7appspiderRange<1.0.17

CPENameOperatorVersion
com.rapid7:jenkinsci-appspider-pluginlt1.0.17

CPE	Name	Operator	Version
	com.rapid7:jenkinsci-appspider-plugin	lt	1.0.17

References

www.openwall.com/lists/oss-security/2024/03/06/3

github.com/advisories/GHSA-xxv9-w5hm-328j

github.com/jenkinsci/appspider-build-scanner-plugin/commit/1677f098fbe4c71d782fc4c7bab5f972c575a86d

nvd.nist.gov/vuln/detail/CVE-2024-28155

www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3144