Description

Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).

Remediation

References

http://www.securityfocus.com/bid/95949

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2599

https://github.com/jenkinsci/jenkins/commit/4ed5c850b6855ab064a66d02fb338f366853ce89

https://jenkins.io/security/advisory/2017-02-01/

Related Vulnerabilities

CVE-2014-0121 Vulnerability in maven package io.hawt:hawtio-karaf-terminal

CVE-2020-14968 Vulnerability in maven package org.webjars.bower:jsrsasign

CVE-2020-24616 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-5206 Vulnerability in maven package org.opencastproject:opencast-kernel

CVE-2020-26302 Vulnerability in maven package org.webjars.bower:is_js

Severity

Medium

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Third Party Advisory VDB Entry Issue Tracking Patch Vendor Advisory