CVE-2014-2058

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Published Bysecurity@debian.org

Published DateOct 17, 2014, 15:55

Affected Versions(2)

org.jenkins-ci.main:jenkins-core(Maven)

Introduced1.533

Fixed1.551

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced0

Fixed1.532.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.main:jenkins-core(Maven)	1.533	1.551	N/A
org.jenkins-ci.main:jenkins-core(Maven)	0	1.532.2	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

6.5

Vector String

AV:N/AC:L/Au:S/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

6.5

Vector String

AV:N/AC:L/Au:S/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL