CVE-2017-1000086
Missing permission checks in Jenkins Periodic Backup Plugin allow every user to change settings
8.0
HIGH
CVSS 3.1
EPSS 0.09%
描述
The Periodic Backup Plugin did not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.
如何修補 CVE-2017-1000086
要修補 CVE-2017-1000086,請將受影響套件升級到下列已修補版本。
- —升級至 1.5 或更新版本
CVE-2017-1000086 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.0 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |