Miggo Logo

CVE-2017-1000089: Jenkins Build Step Plugin fails to check Item/Build permission

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.07224%
Published
5/13/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:pipeline-build-stepmaven<= 2.52.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing permission checks when triggering builds. Jenkins security patterns require:

  1. checkPermission(Item.BUILD) before scheduling builds
  2. checkPermission(Item.READ) for project resolution

While the exact code changes aren't shown, the advisory explicitly states the plugin failed to check build authentication context when triggering projects. The primary vulnerable functions would be those handling:

  • Project resolution (getProjects)
  • Build triggering execution (run)

These functions would appear in stack traces when a build step triggers another project. The medium confidence reflects inference from Jenkins security patterns rather than direct patch inspection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*uil*s in J*nkins *r* *sso*i*t** wit* *n *ut**nti**tion t**t *ontrols t** p*rmissions t**t t** *uil* **s to int*r**t wit* ot**r *l*m*nts in J*nkins. T** Pip*lin*: *uil* St*p Plu*in *i* not ****k t** *uil* *ut**nti**tion it w*s runnin* *s *n* *llow**

Reasoning

T** vuln*r**ility st*ms *rom missin* p*rmission ****ks w**n tri***rin* *uil*s. J*nkins s**urity p*tt*rns r*quir*: *. ****kP*rmission(It*m.*UIL*) ***or* s****ulin* *uil*s *. ****kP*rmission(It*m.R***) *or proj**t r*solution W*il* t** *x**t *o** ***n*