CVE-2024-52549

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-52549
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52549.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-52549
Aliases
Downstream
Related
Published
2024-11-13T21:15:29Z
Modified
2025-10-16T06:13:28.966996Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va3bb89f8a95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system.

References

Affected packages

Git / github.com/jenkinsci/script-security-plugin

Affected ranges

Type
GIT
Repo
https://github.com/jenkinsci/script-security-plugin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4cf2dc5d8776b119e25d203abbe695fc618c5129

Affected versions

1118.*

1118.vba21ca2e3286

1125.*

1125.v132f99385e1b_

1131.*

1131.v8b_b_5eda_c328e

1138.*

1138.v8e727069a_025

1140.*

1140.vf967fb_efa_55a_

1145.*

1145.vb_cf6cf6ed960

1146.*

1146.vdf547f19a_473

1158.*

1158.v7c1b_73a_69a_08

1172.*

1172.v35f6a_0b_8207e

1175.*

1175.v4b_d517d6db_f0

1183.*

1183.v774b_0b_0a_a_451

1184.*

1184.v85d16b_d851b_3

1189.*

1189.vb_a_b_7c8fd5fde

1190.*

1190.v65867a_a_47126

1209.*

1209.v50b_005db_19db

1218.*

1218.v39ca_7f7ed0a_c

1228.*

1228.vd93135a_2fb_25

1229.*

1229.v4880b_b_e905a_6

1244.*

1244.ve463715a_f89c

1251.*

1251.vfe552ed55f8d

1264.*

1264.vecf66020eb_7d

1265.*

1265.va_fb_290b_4b_d34

1269.*

1269.v639888f5e366

1271.*

1271.vdede89739a_81

1273.*

1273.v66c1964f0dfd

1274.*

1274.v2b_33362a_f2f5

1275.*

1275.v23895f409fb_d

1281.*

1281.v22fb_899df1a_e

1294.*

1294.v99333c047434

1301.*

1301.v0079b_cd0cdfa_

1305.*

1305.v487433146192

1310.*

1310.vf24a_dfce068b_

1313.*

1313.v7a_6067dc7087

1321.*

1321.va_73c0795b_923

1326.*

1326.vdb_c154de8669

1335.*

1335.vf07d9ce377a_e

1336.*

1336.vf33a_a_9863911

1341.*

1341.va_2819b_414686

1354.*

1354.va_70a_fe478c7f

1358.*

1358.vb_26663c13537

1361.*

1361.v913100720139

1362.*

1362.v67dc1f0e1b_b_3

script-security-1.*

script-security-1.0
script-security-1.0-beta-1
script-security-1.0-beta-2
script-security-1.0-beta-3
script-security-1.0-beta-4
script-security-1.0-beta-5
script-security-1.0-beta-6
script-security-1.1
script-security-1.10
script-security-1.11
script-security-1.12
script-security-1.13
script-security-1.14
script-security-1.15
script-security-1.16
script-security-1.17
script-security-1.18
script-security-1.19
script-security-1.2
script-security-1.20
script-security-1.21
script-security-1.22
script-security-1.23
script-security-1.24
script-security-1.25
script-security-1.26
script-security-1.27
script-security-1.28
script-security-1.29
script-security-1.3
script-security-1.30
script-security-1.31
script-security-1.32
script-security-1.33
script-security-1.34
script-security-1.35
script-security-1.36
script-security-1.37
script-security-1.38
script-security-1.39
script-security-1.4
script-security-1.40
script-security-1.41
script-security-1.42
script-security-1.43
script-security-1.44
script-security-1.45
script-security-1.46
script-security-1.47
script-security-1.48
script-security-1.49
script-security-1.5
script-security-1.50
script-security-1.51
script-security-1.52
script-security-1.53
script-security-1.54
script-security-1.55
script-security-1.56
script-security-1.57
script-security-1.58
script-security-1.59
script-security-1.6
script-security-1.60
script-security-1.61
script-security-1.62
script-security-1.63
script-security-1.64
script-security-1.65
script-security-1.66
script-security-1.67
script-security-1.68
script-security-1.69
script-security-1.7
script-security-1.70
script-security-1.71
script-security-1.72
script-security-1.73
script-security-1.74
script-security-1.75
script-security-1.76
script-security-1.77
script-security-1.78
script-security-1.8
script-security-1.9

Database specific 

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "target": {
                "file": "src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntryTest.java"
            },
            "signature_type": "Line",
            "source": "https://github.com/jenkinsci/script-security-plugin/commit/4cf2dc5d8776b119e25d203abbe695fc618c5129",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "193410768796351728727837844957838058436",
                    "308449359965148705106045089545175663024",
                    "70254606833208612478548142620525665098",
                    "145388454790940895567368335367892403959",
                    "31321161448093970395994335414378363678",
                    "312627828705634245046445452119695915922",
                    "68318486562706965078557680180936860408",
                    "20352715551907359143121437263126143571",
                    "90652348198020426199518007589717669421",
                    "101534678982371058730167491000974325178",
                    "152630884979021048180118070804443023465",
                    "105924225983465571160070043219025750091",
                    "256005176241261059819027871433164645265",
                    "219636036993808822974804566224973852703",
                    "268733109085444326595412406276556843127",
                    "292489530028342391509674792423830728461",
                    "131124704568120059738221446934279290012"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-52549-0e0a8c4a"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "doCheckPath",
                "file": "src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java"
            },
            "signature_type": "Function",
            "source": "https://github.com/jenkinsci/script-security-plugin/commit/4cf2dc5d8776b119e25d203abbe695fc618c5129",
            "deprecated": false,
            "digest": {
                "length": 469.0,
                "function_hash": "259207047481206575408060854090071958148"
            },
            "id": "CVE-2024-52549-25799be9"
        },
        {
            "signature_version": "v1",
            "target": {
                "file": "src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java"
            },
            "signature_type": "Line",
            "source": "https://github.com/jenkinsci/script-security-plugin/commit/4cf2dc5d8776b119e25d203abbe695fc618c5129",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "24547975384074007603511287741408394634",
                    "235005261391228511367957503664577997348",
                    "169968529053850430407217217721100964666",
                    "328917981062353611706021529637738109754",
                    "157086698411370408145979854950384106838",
                    "208053156037906562936496021286795690056",
                    "147097497329705971013015164632204890555"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-52549-786c6515"
        }
    ]
}