GHSA-6gp4-2f92-j2w5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6gp4-2f92-j2w5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-6gp4-2f92-j2w5/GHSA-6gp4-2f92-j2w5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6gp4-2f92-j2w5
- Aliases
- Published
- 2023-05-16T18:30:16Z
- Modified
- 2024-02-16T08:18:54.449207Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Jenkins Email Extension Plugin missing permission check
- Details
-
Jenkins Email Extension Plugin 2.96 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to check for the existence of files in the
email-templates/directory in the Jenkins home directory on the controller file system.This form validation method requires the appropriate permission in Email Extension Plugin 2.96.1.
- References
Affected packages
Maven / org.jenkins-ci.plugins:email-ext
Package
- Name
- org.jenkins-ci.plugins:email-ext
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/email-ext
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.96.1
Affected versions
2.*
2.11
2.12
2.13
2.14
2.14.1
2.15
2.16
2.18
2.19
2.20
2.21
2.22
2.24.1
2.25
2.27
2.27.1
2.28
2.29
2.30
2.30.1
2.30.2
2.31
2.32
2.33
2.34
2.35
2.35.1
2.36
2.37
2.37.1
2.37.2
2.37.2.2
2.38
2.38.1
2.38.2
2.39
2.39.3
2.40-beta
2.40
2.40.1
2.40.2
2.40.3
2.40.4
2.40.5
2.41
2.41.2
2.41.3
2.42
2.43
2.44
2.45
2.46
2.47
2.50
2.51
2.52
2.53
2.54
2.55
2.56
2.57
2.57.1
2.57.2
2.58
2.59
2.60
2.61
2.62
2.62.1
2.63
2.64
2.65
2.66
2.68
2.68.1
2.68.2
2.69
2.69.1
2.69.2
2.71
2.72
2.73
2.74
2.75
2.76
2.77
2.78
2.79
2.80
2.81
2.82
2.83
2.84
2.85
2.86
2.87
2.88
2.89
2.89.0.1
2.89.0.2
2.89.1
2.90
2.91
2.92
2.93
2.93.1
2.94
2.95
2.96