Rebuilding a run with revoked script approval allowed by Jenkins Pipeline: Groovy Plugin
High severity
GitHub Reviewed
Published
Nov 13, 2024
to the GitHub Advisory Database
•
Updated Nov 26, 2024
Package
Affected versions
< 3993.v3e20a
Patched versions
3993.v3e20a
Description
Published by the National Vulnerability Database
Nov 13, 2024
Published to the GitHub Advisory Database
Nov 13, 2024
Reviewed
Nov 14, 2024
Last updated
Nov 26, 2024
Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. This allows attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. Pipeline: Groovy Plugin 3993.v3e20a_37282f8 refuses to rebuild a build whose main (Jenkinsfile) script is unapproved.
References