GHSA-5293-3fgp-cr3x

Suggest an improvement
Source
https://github.com/advisories/GHSA-5293-3fgp-cr3x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5293-3fgp-cr3x/GHSA-5293-3fgp-cr3x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5293-3fgp-cr3x
Aliases
Published
2022-05-13T01:18:19Z
Modified
2024-02-18T05:33:27.538368Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Missing permission checks in Jenkins Periodic Backup Plugin allow every user to change settings
Details

The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.

Database specific 
{
    "nvd_published_at": "2017-10-05T01:29:00Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T21:58:47Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:periodicbackup

Package

Name
org.jenkins-ci.plugins:periodicbackup
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/periodicbackup

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5

Affected versions

1.*

1.0
1.1
1.2
1.3
1.4

Database specific 

{
    "last_known_affected_version_range": "<= 1.4"
}