[WEBSITE-778] Strange wording in SECURITY-1995 advisory - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Done (View Workflow)
Priority: Minor
Resolution: Fixed
Component/s: content
Labels:
- security-1995

Similar Issues:

Show

Description

The published SECURITY-1995 advisory says:

requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view the list of pending requests.

requests-plugin Plugin 2.2.7 requires Overall/Read permission to view the list of pending requests.

This seems to contradict itself. I suspect the second sentence should be:

This allows attackers without Overall/Read permission to view the list of pending requests.

Attachments

Issue Links

links to

PR 4450

Activity

Ascending order - Click to sort in descending order

Daniel Beck added a comment - 2021-07-02 11:44

kon Thanks for the report!

The sentence you identified is correct, but the fix is not: It now requires Overall/Administer permission to view.

https://github.com/jenkins-infra/jenkins.io/pull/4450 fixes it.

Daniel Beck added a comment - 2021-07-02 11:44 kon Thanks for the report! The sentence you identified is correct, but the fix is not: It now requires Overall/Administer permission to view. https://github.com/jenkins-infra/jenkins.io/pull/4450 fixes it.

Kalle Niemitalo added a comment - 2021-08-05 09:59

The fix is live already.

Kalle Niemitalo added a comment - 2021-08-05 09:59 The fix is live already.

People

Assignee:: Daniel Beck

Reporter:: Kalle Niemitalo

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2021-07-02 10:58

Updated:: 2021-08-05 09:59

Resolved:: 2021-08-05 09:59

Jenkins Website