CVE-2017-1000084 — Incorrect Default Permissions in Jenkins Parameterized Trigger

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 88.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Parameterized Trigger Jenkins Build Step Plugin Jenkins Credentials Plugin +15 more

Timeline

PublishedOct 5

Latest updateMay 13

Description

Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages18 packages

▶jenkinsjenkins/parameterized_trigger_plugin

▶jenkinsjenkins/build_step_plugin

▶NVDjenkins/parameterized_trigger42 versions+41

▶jenkinsjenkins/plugins_like_authorize_project_plugin

▶jenkinsjenkins/git_plugin

🔴Vulnerability Details

GHSA

Parameterized Trigger Plugin fails to check Item/Build permission↗2022-05-13

▶

OSV

Parameterized Trigger Plugin fails to check Item/Build permission↗2022-05-13

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2017-07-10↗2017-07-10

▶