CVE-2017-1000243 — Missing Authorization in Jenkins Favorite Plugin

CWE-862 — Missing Authorization CWE-285 — Improper Authorization6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 91.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Favorite Plugin

Timeline

PublishedNov 1

Latest updateMay 13

Description

Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDjenkins/favorite_plugin2.1.4

▶jenkinsjenkins/favorite_plugin

🔴Vulnerability Details

GHSA

Missing permission check in Jenkins Favorite Plugin↗2022-05-13

▶

OSV

Missing permission check in Jenkins Favorite Plugin↗2022-05-13

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2017-06-06↗2017-06-06

▶

Red Hat

jenkins-plugin-favorite: Missing permission check in Favorite Plugin allows anyone to change favorites for any other user↗2017-06-05

▶

💬Community

Bugzilla

CVE-2017-1000243 jenkins-plugin-favorite: Missing permission check in Favorite Plugin allows anyone to change favorites for any other user↗2018-04-10

▶