GHSA-v98h-rv7j-hf6j

Suggest an improvement
Source
https://github.com/advisories/GHSA-v98h-rv7j-hf6j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v98h-rv7j-hf6j/GHSA-v98h-rv7j-hf6j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v98h-rv7j-hf6j
Aliases
Published
2022-05-24T17:01:41Z
Modified
2023-11-08T04:01:18.532605Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Jenkins Google Compute Engine Plugin Missing Authorization vulnerability
Details

Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment. Google Compute Engine Plugin 4.2.0 requires the appropriate Job/Configure permission to view these metadata.

Database specific
{
    "nvd_published_at": "2019-11-21T15:15:00Z",
    "github_reviewed_at": "2022-12-06T21:58:48Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-285",
        "CWE-862"
    ]
}
References

Affected packages

Maven / org.jenkins-ci.plugins:google-compute-engine

Package

Name
org.jenkins-ci.plugins:google-compute-engine
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/google-compute-engine

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.0

Affected versions

1.*

1.0-beta-1
1.0-beta-2
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.10

2.*

2.0.0

3.*

3.0.0
3.1.0
3.1.1
3.2.0
3.3.0
3.3.1
3.3.2
3.4.0

4.*

4.0.0
4.1.0
4.1.1

Database specific

{
    "last_known_affected_version_range": "<= 4.1.1"
}