{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52549", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2024-11-12T15:28:28.980Z", "datePublished": "2024-11-13T20:53:00.291Z", "dateUpdated": "2024-11-13T21:35:30.700Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2024-11-13T20:53:00.291Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins Script Security Plugin", "versions": [{"version": "0", "versionType": "maven", "lessThanOrEqual": "1362.v67dc1f0e1b_b_3", "status": "affected"}, {"version": "1365.v4778ca_84b_de5", "status": "affected"}, {"version": "1366.vd44b_49a_5c85c", "versionType": "maven", "lessThanOrEqual": "1367.vdf2fc45f229c", "status": "affected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system."}], "references": [{"name": "Jenkins Security Advisory 2024-11-13", "url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", "tags": ["vendor-advisory"]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-13T21:35:27.415468Z", "id": "CVE-2024-52549", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T21:35:30.700Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-52549", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-13T21:35:27.415468Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T21:35:23.410Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins Script Security Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "1362.v67dc1f0e1b_b_3"}, {"status": "affected", "version": "1365.v4778ca_84b_de5"}, {"status": "affected", "version": "1366.vd44b_49a_5c85c", "versionType": "maven", "lessThanOrEqual": "1367.vdf2fc45f229c"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", "name": "Jenkins Security Advisory 2024-11-13", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2024-11-13T20:53:00.291Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52549", "state": "PUBLISHED", "dateUpdated": "2024-11-13T21:35:30.700Z", "dateReserved": "2024-11-12T15:28:28.980Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2024-11-13T20:53:00.291Z", "assignerShortName": "jenkins"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system."}, {"lang": "es", "value": "El complemento de seguridad de script de Jenkins 1367.vdf2fc45f229c y anteriores, excepto 1365.1367.va_3b_b_89f8a_95b_ y 1362.1364.v4cf2dc5d8776, no realiza una verificaci\u00f3n de permisos en un m\u00e9todo que implementa la validaci\u00f3n de formulario, lo que permite a los atacantes con permiso general/de lectura verificar la existencia de archivos en el sistema de archivos del controlador."}], "id": "CVE-2024-52549", "lastModified": "2024-11-15T14:00:09.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-13T21:15:29.233", "references": [{"source": "jenkinsci-cert@googlegroups.com", "url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:2223", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-0:2.479.3.1740464431-3.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2223", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1740464689-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2222", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-0:2.479.3.1740464433-3.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2222", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-2-plugins-0:4.13.1740464698-1.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2221", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-0:2.479.3.1740109575-3.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2221", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-2-plugins-0:4.14.1740109868-1.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2220", "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8", "package": "jenkins-0:2.479.3.1740051993-3.el8", "product_name": "OCP-Tools-4.15-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2220", "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8", "package": "jenkins-2-plugins-0:4.15.1740052174-1.el8", "product_name": "OCP-Tools-4.15-RHEL-8", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2219", "cpe": "cpe:/a:redhat:ocp_tools:4.16::el9", "package": "jenkins-0:2.479.3.1739896390-3.el9", "product_name": "OCP-Tools-4.16-RHEL-9", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2219", "cpe": "cpe:/a:redhat:ocp_tools:4.16::el9", "package": "jenkins-2-plugins-0:4.16.1739896683-1.el9", "product_name": "OCP-Tools-4.16-RHEL-9", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2218", "cpe": "cpe:/a:redhat:ocp_tools:4.17::el9", "package": "jenkins-0:2.479.3.1739859586-3.el9", "product_name": "OCP-Tools-4.17-RHEL-9", "release_date": "2025-03-04T00:00:00Z"}, {"advisory": "RHSA-2025:2218", "cpe": "cpe:/a:redhat:ocp_tools:4.17::el9", "package": "jenkins-2-plugins-0:4.17.1739859908-1.el9", "product_name": "OCP-Tools-4.17-RHEL-9", "release_date": "2025-03-04T00:00:00Z"}], "bugzilla": {"description": "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", "id": "2326034", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2326034"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-862", "details": ["Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system.", "A flaw was found in the Jenkins Script Security Plugin. This vulnerability allows attackers with Overall/Read permission to check for the existence of files on the controller file system via a method that implements form validation that does not perform a permission check."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-52549", "public_date": "2024-11-13T20:53:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-52549\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-52549\nhttps://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447"], "threat_severity": "Moderate"}