Skip to main content

Script Security CVE-2024-52549

MEDIUM
Missing Authorization (CWE-862)
2024-11-13 jenkinsci-cert@googlegroups.com
4.3
CVSS 3.1 · Vendor: googlegroups
Share

Severity by source

Vendor (googlegroups) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (googlegroups) · only source for this CVE.

CVSS VectorVendor: googlegroups

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 13, 2024 - 21:15 cve.org
MEDIUM 4.3

DescriptionCVE.org

Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system.

AnalysisAI

Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system. Affected products include: Jenkins Script Security.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2022-43404 CRITICAL
9.9 Oct 19

A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructor

CVE-2022-43403 CRITICAL
9.9 Oct 19

A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin

CVE-2022-43401 CRITICAL
9.9 Oct 19

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Sc

CVE-2020-2279 CRITICAL
9.9 Sep 23

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to de

CVE-2019-10431 CRITICAL
9.9 Oct 01

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default par

CVE-2024-34144 CRITICAL
9.8 May 02

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_

CVE-2019-1003040 CRITICAL
9.8 Mar 28

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary c

CVE-2017-1000107 HIGH
8.8 Oct 05

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, s

CVE-2024-34145 HIGH
8.8 May 02

A sandbox bypass vulnerability involving sandbox-defined classes that shadow specific non-sandbox-defined classes in Jen

Share

CVE-2024-52549 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy