GHSA-vc7g-4269-f7hw

Source

https://github.com/advisories/GHSA-vc7g-4269-f7hw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vc7g-4269-f7hw/GHSA-vc7g-4269-f7hw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vc7g-4269-f7hw

Aliases

CVE-2020-2255

Published

2022-05-24T17:28:25Z

Modified

2024-02-16T08:09:23.296081Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Missing permission check in Blue Ocean Plugin

Details

Updated 2020-09-16

This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it.

Original Description

Blue Ocean Plugin 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Blue Ocean Plugin 1.23.3 requires Item/Create permission to perform these connection tests.

References

Affected packages

Maven / io.jenkins.blueocean:blueocean

Package

Name: io.jenkins.blueocean:blueocean; View open source insights on deps.dev
Purl: pkg:maven/io.jenkins.blueocean/blueocean

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.23.3

Affected versions

1.*

1.0-alpha-1

1.0-alpha-2

1.0-alpha-3

1.0-alpha-4

1.0-alpha-5

1.0-alpha-6

1.0-alpha-7

1.0-alpha-8

1.0-alpha-9

1.0.0-b01

1.0.0-b02

1.0.0-b03

1.0.0-b04

1.0.0-b05

1.0.0-b06

1.0.0-b07

1.0.0-b08

1.0.0-b09

1.0.0-b10

1.0.0-b11

1.0.0-b12

1.0.0-b13

1.0.0-b14

1.0.0-b15

1.0.0-b16

1.0.0-b17

1.0.0-b18

1.0.0-b19-beta-1

1.0.0-b19

1.0.0-b20-beta-1

1.0.0-b20

1.0.0-b21-beta-1

1.0.0-b21

1.0.0-b22

1.0.0-b23

1.0.0-b24

1.0.0-b25

1.0.0-rc1

1.0.0-rc2

1.0.0-rc3

1.0.0-rc4

1.0.0

1.0.1

1.1.0-beta-1

1.1.0-beta-2

1.1.0-beta-4

1.1.0-beta-8

1.1.0-beta-9

1.1.0

1.1.1

1.1.2

1.1.4

1.1.5

1.1.6

1.1.7

1.2.0-beta-1

1.2.0-beta-3

1.2.0-beta-4

1.2.0-beta-5

1.2.0-beta-6

1.2.0-beta-7

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0-beta-1

1.3.0-beta-2

1.3.0-beta-3

1.3.0-beta-4

1.3.0-beta-5

1.3.0-beta-6

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.4.0-beta-3

1.4.0-beta-4

1.4.0-beta-5

1.4.0

1.4.1

1.4.2

1.5.0-beta-1

1.5.0-beta-2

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.6.0-beta-1

1.6.0-beta-3

1.6.0

1.6.1

1.6.2

1.7.0

1.7.1

1.7.2

1.8.0

1.8.2

1.8.3

1.8.4

1.9.0

1.9.1

1.10.1

1.10.2

1.11.0

1.11.1

1.13.0

1.13.1

1.13.2

1.14.0

1.15.0

1.15.1

1.16.0

1.17.0

1.18.0

1.18.1

1.19.0

1.19.1

1.19.2

1.21.0

1.22.0

1.23.0

1.23.1

1.23.2

Database specific

{
    "last_known_affected_version_range": "<= 1.23.2"
}