Missing permission check in Jenkins Favorite Plugin

2022-05-1301:18:20

Google

osv.dev

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.7%

JSON

Jenkins Favorite Plugin up to and including 2.1.0 does not perform permission checks when changing favorite status, allowing any user to set any other user’s favorites

CPENameOperatorVersion
org.jvnet.hudson.plugins:favoriteeq2.0.1
org.jvnet.hudson.plugins:favoriteeq1.3
org.jvnet.hudson.plugins:favoriteeq1.7
org.jvnet.hudson.plugins:favoriteeq1.14
org.jvnet.hudson.plugins:favoriteeq2.0
org.jvnet.hudson.plugins:favoriteeq2.0.4
org.jvnet.hudson.plugins:favoriteeq1.16
org.jvnet.hudson.plugins:favoriteeq1.4
org.jvnet.hudson.plugins:favoriteeq1.9
org.jvnet.hudson.plugins:favoriteeq1.2

Name	Operator	Version
org.jvnet.hudson.plugins:favorite	eq	2.0.1
org.jvnet.hudson.plugins:favorite	eq	1.3
org.jvnet.hudson.plugins:favorite	eq	1.7
org.jvnet.hudson.plugins:favorite	eq	1.14
org.jvnet.hudson.plugins:favorite	eq	2.0
org.jvnet.hudson.plugins:favorite	eq	2.0.4
org.jvnet.hudson.plugins:favorite	eq	1.16
org.jvnet.hudson.plugins:favorite	eq	1.4
org.jvnet.hudson.plugins:favorite	eq	1.9
org.jvnet.hudson.plugins:favorite	eq	1.2