Bug 2326034 (CVE-2024-52549)

Summary: CVE-2024-52549 jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Jenkins Script Security Plugin. This vulnerability allows attackers with Overall/Read permission to check for the existence of files on the controller file system via a method that implements form validation that does not perform a permission check.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-11-13 21:01:49 UTC 
Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system.
Comment 2 errata-xmlrpc 2025-03-04 14:17:44 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.16-RHEL-9

Via RHSA-2025:2219 https://access.redhat.com/errata/RHSA-2025:2219
Comment 3 errata-xmlrpc 2025-03-04 14:19:27 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.13-RHEL-8

Via RHSA-2025:2222 https://access.redhat.com/errata/RHSA-2025:2222
Comment 4 errata-xmlrpc 2025-03-04 14:37:11 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.17-RHEL-9

Via RHSA-2025:2218 https://access.redhat.com/errata/RHSA-2025:2218
Comment 5 errata-xmlrpc 2025-03-04 14:37:54 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.15-RHEL-8

Via RHSA-2025:2220 https://access.redhat.com/errata/RHSA-2025:2220
Comment 6 errata-xmlrpc 2025-03-04 14:38:18 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.14-RHEL-8

Via RHSA-2025:2221 https://access.redhat.com/errata/RHSA-2025:2221
Comment 7 errata-xmlrpc 2025-03-04 14:38:44 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.12-RHEL-8

Via RHSA-2025:2223 https://access.redhat.com/errata/RHSA-2025:2223