CVE-2024-52549

Aliases:GHSA-jv82-75fh-23r7

Advisory lineage Upstream: 0 Downstream: 6

Downstream

RHSA-2025:2218 RHSA-2025:2219 RHSA-2025:2220 RHSA-2025:2221 RHSA-2025:2222 RHSA-2025:2223

Analyzed

Published: 13 Nov 2024, 20:53

Last modified:13 Nov 2024, 21:35

Vulnerability Summary

Overall Risk (default)

low

17/100

CVSS Score

4.3 MEDIUM

v3.1 (cve.org)

EPSS Score

0.28% LOW

0% probability +0.07%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

13 Nov 2024, 20:53

Published

Vulnerability first disclosed

13 Nov 2024, 21:35

Last Modified

Vulnerability information updated

Description

Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system.

CVSS Metrics

v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.28%• Percentile: 51%

Techniques & Countermeasures

CWE-862•Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Affected Systems

jenkins project•jenkins script security plugin
≤ 1362.v67dc1f0e1b_b_3 | 1365.v4778ca_84b_de5 | ≥ 1366.vd44b_49a_5c85c, ≤ 1367.vdf2fc45f229c
jenkins•script_security
< 1362.1364.v4cf2dc5d8776 | ≥ 1366.vd44b_49a_5c85c, < 1367.vdf2fc45f229c | 1365.v4778ca_84b_de5
org.jenkins-ci.plugins•script-security
< 1368.vb