[io.jenkins.plugins:aws-global-configuration] Missing permission check in Jenkins AWS Global Configuration Plugin allows replacing plugin configuration

AWS Global Configuration Plugin 1.5 and earlier does not perform a permission check in an HTTP endpoint processing form submissions.

This allows attackers with Overall/Read permission to replace the global AWS configuration.

AWS Global Configuration Plugin 1.6 properly performs permission checks when processing configuration form submissions.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2311
• https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2101
• https://github.com/advisories/GHSA-7v7g-mh53-89hw