5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-1000089

GHSA ID

GHSA-8jx9-7j5m-79x4

EPSS Score

0.07224%

CWE

CWE-276

Published

5/13/2022

Updated

1/30/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-1000089

CVE-2017-1000089:
Jenkins Build Step Plugin fails to check Item/Build permission

Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.

(GitHub Advisory)

5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-1000089

GHSA ID

GHSA-8jx9-7j5m-79x4

EPSS Score

0.07224%

CWE

CWE-276

Published

5/13/2022

Updated

1/30/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:pipeline-build-step	maven	<= 2.5	2.5.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing permission checks when triggering builds. Jenkins security patterns require:

checkPermission(Item.BUILD) before scheduling builds
checkPermission(Item.READ) for project resolution

While the exact code changes aren't shown, the advisory explicitly states the plugin failed to check build authentication context when triggering projects. The primary vulnerable functions would be those handling:

Project resolution (getProjects)
Build triggering execution (run)

These functions would appear in stack traces when a build step triggers another project. The medium confidence reflects inference from Jenkins security patterns rather than direct patch inspection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*uil*s in J*nkins *r* *sso*i*t** wit* *n *ut**nti**tion t**t *ontrols t** p*rmissions t**t t** *uil* **s to int*r**t wit* ot**r *l*m*nts in J*nkins. T** Pip*lin*: *uil* St*p Plu*in *i* not ****k t** *uil* *ut**nti**tion it w*s runnin* *s *n* *llow**

Reasoning

T** vuln*r**ility st*ms *rom missin* p*rmission ****ks w**n tri***rin* *uil*s. J*nkins s**urity p*tt*rns r*quir*: *. ****kP*rmission(It*m.*UIL*) ***or* s****ulin* *uil*s *. ****kP*rmission(It*m.R***) *or proj**t r*solution W*il* t** *x**t *o** ***n*

5.3

Basic Information

Concerned about an active attack path?

CVE-2017-1000089: Jenkins Build Step Plugin fails to check Item/Build permission

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2017-1000089:
Jenkins Build Step Plugin fails to check Item/Build permission

Vulnerability Intelligence
Miggo AI