Base Score

HIGH8

CVE-2024-52550

Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved.

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateNov 13, 2024, 21:15

Affected Versions(1)

org.jenkins-ci.plugins.workflow:workflow-cps(Maven)

Introduced0

Fixed3993.v3e20a

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.plugins.workflow:workflow-cps(Maven)	0	3993.v3e20a	N/A

Weakness Type (CWE):CWE-354

CVSS Metrics

Base Score

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362

Base Score

HIGH8

Weakness Type (CWE):CWE-354

CVSS Metrics

Base Score

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH