Improper Authentication

Affecting org.jenkins-ci.plugins:cloud-stats artifact, versions [,0.27)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.jenkins-ci.plugins:cloud-stats is an a plugin that collects activities of other plugins and visualizes them as well as provides them to other plugins in form of an API.

Affected versions of this package are vulnerable to Improper Authentication. It does not perform a permission check in an HTTP endpoint.This allows attackers with overall/read permission and knowledge of random activity IDs to view related provisioning exception error messages.

Remediation

A fix was pushed into the master branch but not yet published.

References

CVSS Score

3.1
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Credit
Daniel Beck
CVE
CVE-2021-21631
CWE
CWE-287
Snyk ID
SNYK-JAVA-ORGJENKINSCIPLUGINS-1089863
Disclosed
31 Mar, 2021
Published
31 Mar, 2021