Replies: 1 comment 1 reply
-
|
Unsure what the question is. Are you looking for https://www.jenkins.io/doc/developer/security/form-validation/ ? |
Beta Was this translation helpful? Give feedback.
-
|
CVE-2022-27205 states "A missing permission check ... allows attackers with Overall/Read permission to connect to an attacker-specified URL". I don't understand how any permission check could mitigate this concern. If the ability to use urls is removed, (lines 134-136), can the security advisory be closed? (This capability to use any url for properties is not documented.) Additionally, since doCheckPropertyFile does not implement additional permission checks, this method is a golden oracle for whether a particular properties file exists and whether a particular property exists within that file. Is this information leakage sufficient to keep the security advisory open? |
Beta Was this translation helpful? Give feedback.
-
CSRF vulnerability and missing permission checks allow SSRF security advisory mentions both permission checks and CSRF. CRSF was done in #39. @daniel-beck What's left to complete with permission checks?
Beta Was this translation helpful? Give feedback.
All reactions