GHSA-m8f2-9282-x38v

Suggest an improvement
Source
https://github.com/advisories/GHSA-m8f2-9282-x38v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m8f2-9282-x38v/GHSA-m8f2-9282-x38v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m8f2-9282-x38v
Aliases
Published
2022-05-24T16:47:43Z
Modified
2024-02-16T08:24:30.720671Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Jenkins ElectricFlow Plugin Missing permission checks
Details

Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers.

These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method.

Database specific 
{
    "nvd_published_at": "2019-06-11T14:29:00Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-26T22:17:17Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:electricflow

Package

Name
org.jenkins-ci.plugins:electricflow
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/electricflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.7

Affected versions

1.*

1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6

Database specific 

{
    "last_known_affected_version_range": "<= 1.1.6"
}