Miggo Logo
Miggo Vulnerability Database
CVE-2017-2652

CVE-2017-2652:
Missing permission checks in Jenkins Distributed Fork Plugin

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-2652
GHSA ID
GHSA-2cm5-f78c-h2c8
EPSS Score
0.4344%
CWE
CWE-287
Published
5/13/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:distforkmaven<= 1.5.01.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing Computer.BUILD permission checks in the CLI command handler. The dist-fork command execution entry point (DistForkCommand.execute) would appear in runtime profiles during exploitation as it's the method that processes and executes arbitrary commands. The security advisory explicitly states the missing permission check was addressed in 1.6.0 by adding Computer.BUILD verification, confirming this as the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It w*s *oun* t**t t**r* w*r* no p*rmission ****ks p*r*orm** in t** *istri*ut** *ork plu*in ***or* *n* in*lu*in* *.*.* *or J*nkins t**t provi**s t** *ist-*ork *LI *omm*n* **yon* t** **si* ****k *or Ov*r*ll/R*** p*rmission, *llowin* *nyon* wit* t**t p*

Reasoning

T** vuln*r**ility st*ms *rom missin* `*omput*r.*UIL*` p*rmission ****ks in t** *LI *omm*n* **n*l*r. T** *ist-*ork *omm*n* *x**ution *ntry point (`*ist*ork*omm*n*.*x**ut*`) woul* *pp**r in runtim* pro*il*s *urin* *xploit*tion *s it's t** m*t*o* t**t p