CVE-2024-52550

Aliases:GHSA-mrpr-vr82-x88r

Advisory lineage Upstream: 0 Downstream: 6

Downstream

RHSA-2025:2218 RHSA-2025:2219 RHSA-2025:2220 RHSA-2025:2221 RHSA-2025:2222 RHSA-2025:2223

Analyzed

Published: 13 Nov 2024, 20:53

Last modified:26 Nov 2024, 14:45

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

8 HIGH

v3.1 (cve.org)

EPSS Score

1.4% LOW

1% probability +0.37%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

13 Nov 2024, 20:53

Published

Vulnerability first disclosed

26 Nov 2024, 14:45

Last Modified

Vulnerability information updated

Description

Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved.

CVSS Metrics

v4.0•HIGH•Score: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
v3.1•HIGH•Score: 8CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 1.40%• Percentile: 81%

Techniques & Countermeasures

CWE-354•Improper Validation of Integrity Check Value
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

Affected Systems

jenkins project•jenkins pipeline: groovy plugin
≤ 3975.v567e2a_1ffa_22 | 3990.vd281dd77a_388
org.jenkins-ci.plugins.workflow•workflow-cps
< 3993.v3e20a