Jenkins Deployer Framework Plugin allows attackers with Item/Read permission to read deployment logs
Moderate severity
GitHub Reviewed
Published
Jul 28, 2022
to the GitHub Advisory Database
•
Updated Jan 5, 2024
Package
Affected versions
<= 85.v1d1888e8c021
Patched versions
86.v7b_a_4a_55b_f3ec
Description
Published by the National Vulnerability Database
Jul 27, 2022
Published to the GitHub Advisory Database
Jul 28, 2022
Reviewed
Aug 11, 2022
Last updated
Jan 5, 2024
Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Item/Read permission to read deployment logs.
Deployer Framework Plugin 86.v7b_a_4a_55b_f3ec requires Deploy Now/Deploy permission to read deployment logs.
References