Lucene-Search Plugin does not perform permission checks in several HTTP endpoints
Moderate severity
GitHub Reviewed
Published
Jul 28, 2022
to the GitHub Advisory Database
•
Updated Jan 3, 2024
Package
Affected versions
<= 370.v62a5f618cd3a
Patched versions
387.v938a
Description
Published by the National Vulnerability Database
Jul 27, 2022
Published to the GitHub Advisory Database
Jul 28, 2022
Reviewed
Aug 11, 2022
Last updated
Jan 3, 2024
Jenkins Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to reindex the database and to obtain information about jobs otherwise inaccessible to them.
References