CVE-2017-1000108: Jenkins Pipeline: Input Step Plugin
7.5
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:pipeline-input-step | maven | < 2.7 | 2.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper authorization checks during input step interactions. The InputStepExecution
class is central to handling pipeline input steps in Jenkins. The waitForInput()
method would be responsible for processing user input submissions. In vulnerable versions, this method likely performed permission checks using Item/READ
(via methods like getACL().checkPermission
) rather than requiring Item/BUILD
. The advisory specifically mentions this authorization flaw was fixed by requiring Build
permission, indicating the vulnerability exists in the input handling execution path. While exact code isn't available, the plugin's architecture and Jenkins' security patterns strongly suggest this is where the flawed permission check occurred.