-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from three key missing authorization checks: 1) FolderLibraries' library enumeration didn't verify Item.CONFIGURE permissions, 2) GlobalLibraries' configuration exposure lacked RUN_SCRIPTS checks, and 3) LibraryConfiguration's version validation endpoint had no permission controls. The patch added explicit permission checks (Item.CONFIGURE/Jenkins.RUN_SCRIPTS) and CSRF protection (@RequirePOST), while test cases demonstrate unauthorized access prevention. These functions directly handle sensitive library configuration data and matched the vulnerability description of exposing SCM repository info to read-only users.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins.workflow:workflow-cps-global-lib | maven | <= 2.14 | 2.15 |