Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds

Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

Jenkins CloudBees CD Plugin requires Item/Build permission to schedule builds via its HTTP endpoint.

Published by the National Vulnerability Database Apr 21, 2021

Published to the GitHub Advisory Database May 24, 2022

Reviewed Dec 13, 2022

Last updated Dec 15, 2023

Provide feedback