Detections
Analytics
Jenkins Enterprise and Operations Center < 2.289.3.2 rev 2 Bad Permissions (CloudBees Security Advisory 2021-08-02)
low Nessus Plugin ID 153978
Language:
Synopsis
A job scheduling and management system hosted on the remote web server is affected by a bad permissions vulnerability.Description
The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.x prior to 2.289.3.2 rev 2. It is, therefore, affected by a vulnerability when using CasC bundles. A new build step allows users without 'ADMIN' permission to remove the CasC bundles.Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade Jenkins Enterprise or Jenkins Operations Center to version 2.289.3.2 rev 2 or later.See Also
https://www.cloudbees.com/cloudbees-security-advisory-2021-08-02
Plugin Details
Severity: Low
ID: 153978
File Name: cloudbees_security_advisory_2021-08-02.nasl
Version: 1.3
Type: combined
Agent: windows, macosx, unix
Family: CGI abuses
Published: 10/11/2021
Updated: 6/5/2024
Configuration: Enable thorough checks
Supported Sensors: Nessus Agent, Nessus
Enable CGI Scanning: true
Risk Information
CVSS Score Rationale: Based on analysis of vendor advisory.
CVSS v2
Risk Factor: Low
Base Score: 1.7
Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:P/A:N
CVSS Score Source: manual
CVSS v3
Risk Factor: Low
Base Score: 3.3
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Vulnerability Information
CPE: cpe:/a:cloudbees:jenkins
Required KB Items: installed_sw/Jenkins
Patch Publication Date: 8/2/2021
Vulnerability Publication Date: 8/2/2021