GHSA-hcpw-v727-64qh

Source

https://github.com/advisories/GHSA-hcpw-v727-64qh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-hcpw-v727-64qh/GHSA-hcpw-v727-64qh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hcpw-v727-64qh

Aliases

CVE-2023-3315

Published

2023-06-19T21:30:21Z

Modified

2024-02-16T08:12:28.842606Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Jenkins Team Concert Plugin does not perform permission checks in methods implementing form validation

Details

Jenkins Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.

Database specific

{
    "nvd_published_at": "2023-06-19T21:15:42Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed_at": "2023-06-20T16:35:50Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

Maven / org.jenkins-ci.plugins:teamconcert

Package

Name: org.jenkins-ci.plugins:teamconcert; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/teamconcert

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.2

Affected versions

1.*

1.0.1

1.0.4

1.0.5

1.0.7

1.0.10

1.0.11

1.0.12

1.1.2

1.1.8

1.1.9

1.1.9.1

1.1.9.2

1.1.9.3

1.1.9.4

1.1.9.5

1.1.9.6

1.1.9.6.1

1.1.9.7

1.1.9.8

1.1.9.9

1.2.0.0

1.2.0.1

1.2.0.2

1.2.0.3

1.2.0.4

1.2.0.5

1.3.0

1.3.1

2.*

2.1.0

2.2.0

2.2.1

2.4.0

2.4.1