Description
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
Remediation
References
http://www.securityfocus.com/bid/95956
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611
https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86
https://jenkins.io/security/advisory/2017-02-01/
Related Vulnerabilities
CVE-2022-44729 Vulnerability in maven package org.apache.xmlgraphics:batik-bridge
CVE-2016-6797 Vulnerability in maven package org.apache.tomcat:catalina
CVE-2023-26136 Vulnerability in npm package tough-cookie
CVE-2023-37944 Vulnerability in maven package org.datadog.jenkins.plugins:datadog
CVE-2020-1745 Vulnerability in maven package io.undertow:undertow-core