Adrien Lecharpentier

**Name of the Vulnerable Software and Affected Versions** Jenkins Support Core Plugin versions 1206.v14049fa b d860 and earlier **Description** An issue exists due to an incorrect permission check, allowing attackers with `Support/DownloadBundle` permission to download previously created support bundles containing information limited to users with `Overall/Administer` permission. This affects several HTTP endpoints. The issue enables access to sensitive diagnostic information without proper authorization. **Recommendations** For Jenkins Support Core Plugin versions 1206.v14049fa b d860 and earlier, consider updating to a version where the `Support/DownloadBundle` permission is deprecated, such as version 1206.1208.v9b 7a 1d48db 0f or later, which requires the `Overall/Administer` permission to download support bundles. As a temporary workaround, consider restricting the `Support/DownloadBundle` permission to minimize the risk of exploitation.