Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-hcpw-v727-64qh: Jenkins Team Concert Plugin does not perform permission checks in methods implementing form validation

Jenkins Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.

ghsa
#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-3315

Jenkins Team Concert Plugin does not perform permission checks in methods implementing form validation

Moderate severity GitHub Reviewed Published Jun 19, 2023 to the GitHub Advisory Database • Updated Jun 20, 2023

Package

maven org.jenkins-ci.plugins:teamconcert (Maven)

Affected versions

< 2.4.2

Published to the GitHub Advisory Database

Jun 19, 2023

Last updated

Jun 20, 2023

Related news

CVE-2023-32261: Jenkins Security Advisory 2023-06-14

A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. See the following Jenkins security advisory for details: * https://www.jenkins.io/security/advisory/2023-06-14/ https://www.jenkins.io/security/advisory/2023-06-14/

CVE-2023-3315: Jenkins Security Advisory 2023-06-14

Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP