Jenkins Team Concert Plugin does not perform permission checks in methods implementing form validation
Moderate severity
GitHub Reviewed
Published
Jun 19, 2023
to the GitHub Advisory Database
•
Updated Jan 5, 2024
Description
Published by the National Vulnerability Database
Jun 19, 2023
Published to the GitHub Advisory Database
Jun 19, 2023
Reviewed
Jun 20, 2023
Last updated
Jan 5, 2024
Jenkins Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.
References