Uploaded image for project: 'Jenkins Website'
  1. Jenkins Website
  2. WEBSITE-778

Strange wording in SECURITY-1995 advisory

    XMLWordPrintable

Details

    Description

      The published SECURITY-1995 advisory says:

      requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint.

      This allows attackers with Overall/Read permission to view the list of pending requests.

      requests-plugin Plugin 2.2.7 requires Overall/Read permission to view the list of pending requests.

      This seems to contradict itself. I suspect the second sentence should be:

      This allows attackers without Overall/Read permission to view the list of pending requests.

      Attachments

        Issue Links

          Activity

            People

              danielbeck Daniel Beck
              kon Kalle Niemitalo
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: