CVE-2017-1000089: Jenkins Build Step Plugin fails to check Item/Build permission
5.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.07224%
CWE
Published
5/13/2022
Updated
1/30/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:pipeline-build-step | maven | <= 2.5 | 2.5.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing permission checks when triggering builds. Jenkins security patterns require:
- checkPermission(Item.BUILD) before scheduling builds
- checkPermission(Item.READ) for project resolution
While the exact code changes aren't shown, the advisory explicitly states the plugin failed to check build authentication context when triggering projects. The primary vulnerable functions would be those handling:
- Project resolution (getProjects)
- Build triggering execution (run)
These functions would appear in stack traces when a build step triggers another project. The medium confidence reflects inference from Jenkins security patterns rather than direct patch inspection.