Headline
GHSA-hcpw-v727-64qh: Jenkins Team Concert Plugin does not perform permission checks in methods implementing form validation
Jenkins Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-3315
Jenkins Team Concert Plugin does not perform permission checks in methods implementing form validation
Moderate severity GitHub Reviewed Published Jun 19, 2023 to the GitHub Advisory Database • Updated Jun 20, 2023
Package
maven org.jenkins-ci.plugins:teamconcert (Maven)
Affected versions
< 2.4.2
Published to the GitHub Advisory Database
Jun 19, 2023
Last updated
Jun 20, 2023
Related news
A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. See the following Jenkins security advisory for details: * https://www.jenkins.io/security/advisory/2023-06-14/ https://www.jenkins.io/security/advisory/2023-06-14/
Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.