CVE-2017-1000105

Name of the Vulnerable Software and Affected Versions Jenkins Blue Ocean (affected versions not specified)

Description The issue concerns the insufficient permission checks in Blue Ocean, a plugin for Jenkins. Specifically, when the optional Run/Artifacts permission is enabled by setting a Java system property, Blue Ocean failed to check this permission before providing access to archived artifacts. Instead, it only required the Item/Read permission, which is insufficient for securing access to artifacts. This oversight could potentially allow unauthorized access to sensitive data.

Recommendations To resolve the issue, update Blue Ocean to a version that correctly checks the Run/Artifacts permission if it’s enabled before providing access to artifacts. As a temporary workaround, consider disabling the optional Run/Artifacts permission by not setting the corresponding Java system property until a patch is available.