CVE-2024-52550 — Improper Validation of Integrity Check Value in Jenkins Pipeline

CWE-354 — Improper Validation of Integrity Check Value CWE-862 — Missing Authorization CWE-285 — Improper Authorization6 documents6 sources

Severity

8.0HIGHNVD

EPSS

1.4%

top 19.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Pipeline Jenkins Project Jenkins Pipeline Groovy Plugin

Timeline

PublishedNov 13

Description

Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_pipeline_groovy_plugin3975.v567e2a_1ffa_22+1

▶NVDjenkins/pipeline< 3975.3977.v478dd9e956c3+1

🔴Vulnerability Details

OSV

Rebuilding a run with revoked script approval allowed by Jenkins Pipeline: Groovy Plugin↗2024-11-13

▶

GHSA

Rebuilding a run with revoked script approval allowed by Jenkins Pipeline: Groovy Plugin↗2024-11-13

▶

CVEList

CVE-2024-52550: Jenkins Pipeline: Groovy Plugin 3990↗2024-11-13

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2024-11-13↗2024-11-13

▶

Red Hat

jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines↗2024-11-13

▶