CVE-2013-6373
Description
The Exclusion Plugin for Jenkins before 0.9 fails to enforce access control on resource locks, allowing authenticated users with any role to list and release resources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Exclusion Plugin for Jenkins before 0.9 fails to enforce access control on resource locks, allowing authenticated users with any role to list and release resources.
Vulnerability
The Exclusion plugin before version 0.9 for Jenkins does not properly restrict access to resource locks managed by the plugin's administration panel. The AdministrationPanel class, which is exposed as a RootAction, was missing permission checks before listing or releasing resources. This allows any remote authenticated user, regardless of their actual permissions, to call the release and list endpoints. The fix adds a StaplerProxy implementation that checks for the Jenkins.ADMINISTER permission before processing any request [4].
Exploitation
An attacker needs only a valid Jenkins login (any level of access). No special privileges are required. The attacker can navigate to the Exclusion plugin's administration panel endpoint and use the "Release resource" button or directly call the corresponding doRelease or doList stapler methods. The release action is performed via a combo box that lists currently allocated resources; the attacker can select any resource and trigger release by clicking the button [2][3].
Impact
A successful exploit allows an attacker to release resource locks that are held by running jobs. This can cause resource conflicts, potentially leading to denial of service or race conditions where jobs that depend on exclusive access to a shared resource (defined by resource names used as semaphores) may execute concurrently, breaking the exclusion guarantee [2][3]. The vulnerability does not allow full remote code execution or data leakage, but it undermines the core purpose of the plugin.
Mitigation
The plugin version 0.9 contains the fix, as evidenced by the commit that added StaplerProxy and the Jenkins.ADMINISTER permission check [4]. Users should update to version 0.9 or later. No workaround is available if the plugin is installed and enabled; upgrading is the only solution. The plugin is now in adoption status and may not receive further updates [2], but version 0.9 addresses the issue.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:exclusionMaven | < 0.9 | 0.9 |
Affected products
4cpe:2.3:a:jenkins-ci:exclusion:0.6:-:*:*:*:cloudbees_jenkins:*:*+ 2 more
- cpe:2.3:a:jenkins-ci:exclusion:0.6:-:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:exclusion:0.7:-:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:exclusion:*:-:*:*:*:cloudbees_jenkins:*:*range: <=0.8
Patches
1847f9aeb407c[FIXED SECURITY-53]
1 file changed · +8 −1
src/main/java/org/jvnet/hudson/plugins/exclusion/AdministrationPanel.java+8 −1 modified@@ -14,7 +14,9 @@ import java.util.List; import java.util.Map; +import jenkins.model.Jenkins; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.StaplerProxy; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; import org.kohsuke.stapler.export.ExportedBean; @@ -25,7 +27,7 @@ */ @ExportedBean @Extension -public class AdministrationPanel implements RootAction { +public class AdministrationPanel implements RootAction, StaplerProxy { // Link to the IdAllocator resources list private List<RessourcesMonitor> listRessources; @@ -41,6 +43,11 @@ public AdministrationPanel() { listRessources = IdAllocator.getListRessources(); } + public Object getTarget() { + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + return this; + } + //Called for each page load of administration public void load() {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2q8v-439j-6p77ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-6373ghsaADVISORY
- wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20nvdVendor AdvisoryWEB
- github.com/jenkinsci/exclusion-plugin/commit/847f9aeb407c0f47046d184080c9e2c2e3720311ghsaWEB
- wiki.jenkins-ci.org/display/JENKINS/Exclusion-PluginnvdWEB
News mentions
0No linked articles in our index yet.