CVE-2024-28155

MEDIUM4.3Auth bypass

Description

Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected products

Jenkins Project / Jenkins AppSpider Plugin0 – 1.0.16

References

MISChttps://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3144
MAILING_LISThttp://www.openwall.com/lists/oss-security/2024/03/06/3