Missing Permission Check in Jenkins Plugin Allows Attackers to Reconfigure Future Build Steps
CVE-2024-2216

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Docker-build-step Plugin
Vendor: CVE Published:; 6 March 2024

Summary

A critical security flaw in the Jenkins docker-build-step Plugin permits attackers with Overall/Read permissions to connect to any TCP or Unix socket URL of their choice. This vulnerability allows unauthorized users to reconfigure the plugin's settings using manipulated connection test parameters, potentially jeopardizing subsequent build step executions. It underscores the need for stringent permission checks and enhanced security measures in Jenkins plugins.

Affected Version(s)

Jenkins docker-build-step Plugin 0 <= 2.11

References

https://www.jenkins.io/security/advisory/2024-03-06/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/03/06/3

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 6, 2024
Vulnerability Reserved
Mar 6, 2024