CVE-2018-1000114: Jenkins Promoted Builds Plugin allowed unauthorized users to run some promotion processes
4.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.07093%
CWE
Published
5/13/2022
Updated
1/30/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:promoted-builds | maven | <= 2.31.1 | 3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing authorization checks in promotion approval/execution flows. Status.java
handles promotion actions via doApprove()
/doRestart()
endpoints, while ManualCondition.java
governs approval logic. The advisory specifically calls out these files and describes missing permission checks for users with only Job.Read
access. The functions identified are the entry points for promotion operations that lacked proper security controls in vulnerable versions.