CVE-2024-28155: Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to…

medium4.3CVSS 3.1

AVNACLPRLUINSUCLINAN

Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.

Affected

13 ranges

Vendor	Product	Version range	Fixed in
jenkins	appspider	< 1.0.17	1.0.17
jenkins	appspider_plugin	—	—
jenkins	bitbucket_branch_source_plugin	—	—
jenkins	build_monitor_view_plugin	—	—
jenkins	delphix_plugin	—	—
jenkins	gitbucket_plugin	—	—
jenkins	html_publisher_plugin	—	—
jenkins	improper_input_sanitization_in_html_publisher_plugin	—	—
jenkins	mq_notifier_plugin	—	—
jenkins	owasp_dependency-check_plugin	—	—
jenkins	subversion_partial_release_manager_plugin	—	—
jenkins	tls_certificate_validation_in_delphix_plugin	—	—
jenkins_project	jenkins_appspider_plugin	<= 1.0.16	—