Miggo Logo

CVE-2017-1000108: Jenkins Pipeline: Input Step Plugin

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.25594%
Published
5/17/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:pipeline-input-stepmaven< 2.72.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper authorization checks during input step interactions. The InputStepExecution class is central to handling pipeline input steps in Jenkins. The waitForInput() method would be responsible for processing user input submissions. In vulnerable versions, this method likely performed permission checks using Item/READ (via methods like getACL().checkPermission) rather than requiring Item/BUILD. The advisory specifically mentions this authorization flaw was fixed by requiring Build permission, indicating the vulnerability exists in the input handling execution path. While exact code isn't available, the plugin's architecture and Jenkins' security patterns strongly suggest this is where the flawed permission check occurred.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Pip*lin*: Input St*p Plu*in *y ****ult *llow** us*rs wit* It*m/R*** ****ss to * pip*lin* to int*r**t wit* t** st*p to provi** input. T*is **s ***n ***n***, *n* now r*quir*s us*rs to **v* t** It*m/*uil* p*rmission inst***.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ut*oriz*tion ****ks *urin* input st*p int*r**tions. T** `InputSt*p*x**ution` *l*ss is **ntr*l to **n*lin* pip*lin* input st*ps in J*nkins. T** `w*it*orInput()` m*t*o* woul* ** r*sponsi*l* *or pro**ssin* us*r inp