Description
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
Remediation
References
https://jenkins.io/security/advisory/2017-02-01/
https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611
http://www.securityfocus.com/bid/95956
Related Vulnerabilities
CVE-2021-45458 Vulnerability in maven package org.apache.kylin:kylin-core-common
CVE-2022-22984 Vulnerability in npm package snyk-docker-plugin
CVE-2023-3431 Vulnerability in maven package net.sourceforge.plantuml:plantuml
CVE-2016-5007 Vulnerability in maven package org.springframework.security:spring-security-config
CVE-2022-43412 Vulnerability in maven package org.jenkins-ci.plugins:generic-webhook-trigger