66 matches found
CVE-2023-28668
Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fae51 and earlier grants permissions even after they've been disabled...
CVE-2023-28668
The CVE-2023-28668 entry concerns Jenkins’ Role-based Authorization Strategy Plugin. Affected: plugin version 587.v2872c41fa_e51 and earlier. Root cause: permissions can be granted and remain effective after being disabled (e.g., via script console or group assignments). Impact: attackers could g...
CVE-2023-28668
Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fae51 and earlier grants permissions even after they've been disabled...
PT-2023-21889 · Jenkins · Jenkins Role-Based Authorization Strategy Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Role-based Authorization Strategy Plugin versions 587.v2872c41fa e51 and earlier Description: The issue allows attackers to have greater access than they are entitled to after a permission is granted and then disabled. This occurs...
Incorrect permission checks in Jenkins Role-based Authorization Strategy Plugin may allow accessing some items
Items like jobs can be organized hierarchically in Jenkins, using the Folders Plugin or something similar. An item is expected to be accessible only if all its ancestors are accessible as well. Role-based Authorization Strategy Plugin 3.1 and earlier does not correctly perform permission checks t...
GHSA-RM4M-39FJ-288C Incorrect permission checks in Jenkins Role-based Authorization Strategy Plugin may allow accessing some items
Items like jobs can be organized hierarchically in Jenkins, using the Folders Plugin or something similar. An item is expected to be accessible only if all its ancestors are accessible as well. Role-based Authorization Strategy Plugin 3.1 and earlier does not correctly perform permission checks t...
Improper authorization due to caching in Jenkins Role-based Authorization Strategy Plugin
Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to speed up permission lookups. Role-based Authorization Strategy Plugin 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configuration. This can result in permissions being...
GHSA-25G4-P347-X748 Improper authorization due to caching in Jenkins Role-based Authorization Strategy Plugin
Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to speed up permission lookups. Role-based Authorization Strategy Plugin 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configuration. This can result in permissions being...
GHSA-9QHQ-J4XM-CW48 PicketLink does not properly check role based authorization
The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.7.1.Final does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a 1 direct request or 2...
PicketLink does not properly check role based authorization
The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.7.1.Final does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a 1 direct request or 2...
CSRF vulnerability in Jenkins Role-based Authorization Strategy Plugin configuration
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access t...
GHSA-774G-R3FM-4V85 CSRF vulnerability in Jenkins Role-based Authorization Strategy Plugin configuration
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access t...
Spinnaker 访问控制错误漏洞
Spinnaker is a continuous delivery platform. Used to release software changes with high speed and confidence. Spinnaker has a security vulnerability that stems from the presence of inappropriate privileges in the software that allow for pipeline creation and execution. This allows an arbitrary us...
CVE-2021-21624
An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders...
CVE-2021-21624
An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders...
Jenkins Role-based Authorization Strategy 权限许可和访问控制问题漏洞
Jenkins Role-based Authorization Strategy is Jenkins open source an application plugin . The plugin is used to add a new role-based mechanism to manage user rights . A privilege impropriety vulnerability exists in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier versions. An...
PT-2021-14667 · Oracle +1 · Java +1
Name of the Vulnerable Software and Affected Versions: Jenkins Role-based Authorization Strategy Plugin versions 3.1 and earlier Description: The issue arises from an incorrect permission check, allowing attackers with Item/Read permission on nested items to access them even if they lack Item/Rea...
CVE-2020-1958
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based...
Vulnerability fixed in Cloudforms
RedHat has fixed a vulnerability in CloudForms Management Engine. Due to a flaw in Role Based authorizations, an authorized malicious person is able to execute commands with administrator privileges, or gain access to sensitive data. This vulnerability was previously reported as the vulnerability...
The vulnerability in the web interface of the Cisco Identity Services Engine allows a perpetrator to modify the configuration of a vulnerable device.
The vulnerability of the Cisco Identity Services Engine’s network policy management web interface is related to access control errors based on role-based authorization RBAC. Exploiting this vulnerability could allow a malicious actor to remotely alter the configuration of the vulnerable device...