Miggo Logo

CVE-2018-1000114: Jenkins Promoted Builds Plugin allowed unauthorized users to run some promotion processes

4.3

CVSS Score
3.0

Basic Information

EPSS Score
0.07093%
Published
5/13/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:promoted-buildsmaven<= 2.31.13.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks in promotion approval/execution flows. Status.java handles promotion actions via doApprove()/doRestart() endpoints, while ManualCondition.java governs approval logic. The advisory specifically calls out these files and describes missing permission checks for users with only Job.Read access. The functions identified are the entry points for promotion operations that lacked proper security controls in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n improp*r *ut*oriz*tion vuln*r**ility *xists in J*nkins Promot** *uil*s Plu*in *.**.* *n* **rli*r in St*tus.j*v* *n* M*nu*l*on*ition.j*v* t**t *llow *n *tt**k*r wit* r*** ****ss to jo*s to p*r*orm promotions.

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks in promotion *pprov*l/*x**ution *lows. `St*tus.j*v*` **n*l*s promotion **tions vi* `*o*pprov*()`/`*oR*st*rt()` *n*points, w*il* `M*nu*l*on*ition.j*v*` *ov*rns *pprov*l lo*i*. T** **visory sp**