[org.jenkins-ci.plugins:cloudbees-jenkins-advisor] Incorrect permission check in Health Advisor by CloudBees Plugin

Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view an administrative configuration page.

Health Advisor by CloudBees Plugin 3.2.1 requires Overall/Administer to view its administrative configuration page.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2258
• https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1998
• http://www.openwall.com/lists/oss-security/2020/09/16/3
• https://github.com/advisories/GHSA-c445-xm3f-hmfh