CVE-2024-43045

CVSS v3.1

6.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.470 and earlier Jenkins LTS versions 2.452.3 and earlier

Description The issue arises from a lack of permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views". Additionally, attackers with global View/Configure and View/Delete permissions can modify other users' "My Views".

Recommendations For Jenkins versions 2.470 and earlier, update to version 2.471 or later to restrict access to a user’s "My Views" to the owning user and administrators. For Jenkins LTS versions 2.452.3 and earlier, update to version 2.452.4 or later, or version 2.462.1 or later, to restrict access to a user’s "My Views" to the owning user and administrators.

Fix

Improper Authorization

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-862

Related Identifiers

BIT-JENKINS-2024-43045

CVE-2024-43045

GHSA-8PV9-QH96-9HC6

Affected Products

Jenkins

Red Os

CVE-2024-43045

Weakness Enumeration

Related Identifiers

Affected Products

References · 14