[io.jenkins.blueocean:blueocean] Missing permission check in Blue Ocean Plugin

Updated 2020-09-16

This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it.

Original Description

Blue Ocean Plugin 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Blue Ocean Plugin 1.23.3 requires Item/Create permission to perform these connection tests.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2255
• https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961
• http://www.openwall.com/lists/oss-security/2020/09/16/3
• https://github.com/advisories/GHSA-vc7g-4269-f7hw