GHSA-w2j3-pq63-339w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w2j3-pq63-339w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-w2j3-pq63-339w/GHSA-w2j3-pq63-339w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w2j3-pq63-339w
- Aliases
- Published
- 2022-11-16T12:00:22Z
- Modified
- 2024-02-16T08:25:01.395547Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Incorrect permission checks in Jenkins Support Core Plugin
- Details
-
Support Core Plugin defines the permission Support/DownloadBundle that allows users without Overall/Administer permission to create and download support bundles containing a limited set of diagnostic information.
Support Core Plugin 1206.v14049fabd860 and earlier does not correctly perform permission checks in several HTTP endpoints.
This allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.
Support Core Plugin 1206.1208.v9b7a1d48db_0f deprecates the Support/DownloadBundle permission. The Overall/Administer permission is now required to download support bundles.
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2022-11-15T20:15:00Z", "cwe_ids": [ "CWE-276", "CWE-863" ], "github_reviewed_at": "2022-11-21T22:21:38Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-45383
- https://github.com/jenkinsci/support-core-plugin/commit/9b7a1d48db0fdfb840ca3393e9462e687e69385b
- https://github.com/jenkinsci/support-core-plugin
- https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2804
- http://www.openwall.com/lists/oss-security/2022/11/15/4
Affected packages
Maven / org.jenkins-ci.plugins:support-core
Package
- Name
- org.jenkins-ci.plugins:support-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/support-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1206.1208.v9b_7a_1d48db_0f
Affected versions
1.*
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
2.*
2.0
2.1
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
2.13
2.14
2.15
2.16
2.17
2.18
2.19
2.20
2.21
2.22
2.24
2.25
2.27
2.28
2.29
2.30
2.31
2.32
2.33
2.34
2.35
2.36
2.37
2.38
2.39
2.40
2.41
2.42
2.43
2.44
2.45
2.45.1
2.46
2.47
2.48
2.49
2.50
2.51
2.52
2.53
2.54
2.55
2.56
2.56.1
2.57
2.58
2.59
2.60
2.61
2.62
2.62.1
2.63-alpha
2.63
2.64
2.65
2.66
2.67
2.68
2.68.1
2.69
2.70
2.70.1
2.71
2.72
2.72.1
2.72.2
2.73
2.74
2.75
2.76
2.76.1
2.77
2.78
2.79
2.79.1
2.80
2.80.1
2.80.2
2.81
1124.*
1124.vb_16439f088b_4
1130.*
1130.vb_eef6015fc37
1140.*
1140.vb_b_3b_7d866b_a_8
1148.*
1148.vedff8cb_56a_da_
1158.*
1158.v9189f64fec8c
1162.*
1162.vb_b_e5198c6b_22
1172.*
1172.va_1fcf85806d0
1174.*
1174.vc46f6b_04d894
1195.*
1195.v20a_701e8897e
1201.*
1201.v8d1f54a_6ec7c
1201.1203.v828b_ef272669
1204.*
1204.v7ee88742a_53f
1206.*
1206.v14049fa_b_d860