CVE-2022-41233

MEDIUM4.3Auth bypass

Description

Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, allowing attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected products

Jenkins Project / Jenkins Rundeck Pluginunspecified – 3.6.11
Jenkins Project / Jenkins Rundeck Pluginnext of 3.6.11 – unspecified

References

MISChttps://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2170