-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:vmanager-plugin | maven | < 4.0.1-288.v8804beaacb7f | 4.0.1-288.v8804b_ea_a_cb_7f |
Miggo AIRoot Cause AnalysisThe vulnerability lies in several doTestConnection, doTestArchiveUser, and doTestExtraStaticAttr methods across different classes within the Jenkins Cadence vManager Plugin. These methods are typically used in Jenkins to validate form inputs in configuration pages. Before the patch, these methods would attempt to connect to a user-specified URL with user-specified credentials without checking if the current user had the necessary Item.CONFIGURE permissions. The patch (commit b08b571ebc4d5d6b4bc80e65e4ddf45760a32cca) consistently adds item.checkPermission(Item.CONFIGURE); to these methods. The absence of this check is the core of the vulnerability, as it allows users with only Overall/Read permission to trigger these connections. The identified functions are the exact methods where this permission check was missing and subsequently added. The names include the class and the inner DescriptorImpl class where these methods are typically defined for Jenkins UI interactions.
Ongoing coverage of React2Shell