Missing Authorization in Shared Library Version Override

#VU100593 Missing Authorization in Shared Library Version Override

Cybersecurity Help s.r.o.

Published: 2024-11-18

Vulnerability identifier: #VU100593

Vulnerability risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-52554

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Shared Library Version Override
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to the script security bypass. A remote user can configure a folder-scoped library override that runs without sandbox protection.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Shared Library Version Override: 17.v786074c9fce7

External links
http://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3466

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Missing Authorization in Jenkins Shared Library Version Override plugin