{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52551", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2024-11-12T15:28:28.980Z", "datePublished": "2024-11-13T20:53:01.666Z", "dateUpdated": "2024-11-14T15:05:27.789Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2024-11-13T20:53:01.666Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins Pipeline: Declarative Plugin", "versions": [{"version": "0", "versionType": "maven", "lessThanOrEqual": "2.2214.vb_b_34b_2ea_9b_83", "status": "affected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved."}], "references": [{"name": "Jenkins Security Advisory 2024-11-13", "url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", "tags": ["vendor-advisory"]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-276", "lang": "en", "description": "CWE-276 Incorrect Default Permissions"}]}], "affected": [{"vendor": "jenkins_project", "product": "jenkins_pipeline_declaratrive_plugin", "cpes": ["cpe:2.3:a:jenkins_project:jenkins_pipeline_declaratrive_plugin:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2214.vb_b_34b_2ea_9b_83", "versionType": "maven"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-14T15:01:46.015703Z", "id": "CVE-2024-52551", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T15:05:27.789Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins Pipeline: Declarative Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "2.2214.vb_b_34b_2ea_9b_83"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", "name": "Jenkins Security Advisory 2024-11-13", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2024-11-13T20:53:01.666Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-52551", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-14T15:01:46.015703Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jenkins_project:jenkins_pipeline_declaratrive_plugin:*:*:*:*:*:*:*:*"], "vendor": "jenkins_project", "product": "jenkins_pipeline_declaratrive_plugin", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "2.2214.vb_b_34b_2ea_9b_83"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-11-14T15:05:21.271Z"}}]}, "cveMetadata": {"cveId": "CVE-2024-52551", "state": "PUBLISHED", "dateUpdated": "2024-11-13T20:53:01.666Z", "dateReserved": "2024-11-12T15:28:28.980Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2024-11-13T20:53:01.666Z", "assignerShortName": "jenkins"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved."}, {"lang": "es", "value": "Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 y anteriores no verifica si el script principal (Jenkinsfile) utilizado para reiniciar una compilaci\u00f3n desde una etapa espec\u00edfica est\u00e1 aprobado, lo que permite a los atacantes con permiso de Elemento/Compilaci\u00f3n reiniciar una compilaci\u00f3n anterior cuyo script (Jenkinsfile) ya no est\u00e1 aprobado."}], "id": "CVE-2024-52551", "lastModified": "2024-11-15T14:00:09.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-13T21:15:29.350", "references": [{"source": "jenkinsci-cert@googlegroups.com", "url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", "id": "2326047", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2326047"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-862", "details": ["Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved.", "A flaw was found in Jenkins Pipeline: Declarative Plugin (pipeline-model-definition). This vulnerability allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved via insufficient script approval checks."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-52551", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "org.jenkinsci.plugins/pipeline-model-definition", "product_name": "OpenShift Developer Tools and Services"}], "public_date": "2024-11-13T20:53:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-52551\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-52551\nhttps://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361"], "statement": "This vulnerability is rated as Important due to the risk it poses by allowing attackers with Item/Build permissions to restart a previous build using an unapproved Jenkinsfile script, this could result in unauthorized execution of scripts, compromising the integrity of the build process.", "threat_severity": "Important"}