Uploaded image for project: 'Jenkins Website'
  1. Jenkins Website
  2. WEBSITE-778

Strange wording in SECURITY-1995 advisory

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The published SECURITY-1995 advisory says:

      requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint.

      This allows attackers with Overall/Read permission to view the list of pending requests.

      requests-plugin Plugin 2.2.7 requires Overall/Read permission to view the list of pending requests.

      This seems to contradict itself. I suspect the second sentence should be:

      This allows attackers without Overall/Read permission to view the list of pending requests.

        Attachments

          Issue Links

            Activity

            kon Kalle Niemitalo created issue -
            kon Kalle Niemitalo made changes -
            Field Original Value New Value
            Link This issue relates to SECURITY-1995 [ SECURITY-1995 ]
            kon Kalle Niemitalo made changes -
            Labels security-1995
            danielbeck Daniel Beck made changes -
            Assignee Daniel Beck [ danielbeck ]
            Hide
            danielbeck Daniel Beck added a comment -

            Kalle Niemitalo Thanks for the report!

            The sentence you identified is correct, but the fix is not: It now requires Overall/Administer permission to view.

            https://github.com/jenkins-infra/jenkins.io/pull/4450 fixes it.

            Show
            danielbeck Daniel Beck added a comment - Kalle Niemitalo Thanks for the report! The sentence you identified is correct, but the fix is not: It now requires Overall/Administer permission to view. https://github.com/jenkins-infra/jenkins.io/pull/4450 fixes it.
            danielbeck Daniel Beck made changes -
            Status To Do [ 10003 ] In Review [ 10005 ]
            danielbeck Daniel Beck made changes -
            Remote Link This issue links to "PR 4450 (Web Link)" [ 26812 ]
            Hide
            kon Kalle Niemitalo added a comment -

            The fix is live already.

            Show
            kon Kalle Niemitalo added a comment - The fix is live already.
            kon Kalle Niemitalo made changes -
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Done [ 10004 ]

              People

              Assignee:
              danielbeck Daniel Beck
              Reporter:
              kon Kalle Niemitalo
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: