CVE-2018-1000015
Description
Incorrect permission checks in Jenkins Pipeline: Nodes and Processes plugin allowed execution of pipeline node blocks on agents lacking Computer/Build permission, affecting versions 2.17 and earlier.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incorrect permission checks in Jenkins Pipeline: Nodes and Processes plugin allowed execution of pipeline node blocks on agents lacking Computer/Build permission, affecting versions 2.17 and earlier.
Vulnerability
The Pipeline: Nodes and Processes plugin versions 2.17 and earlier incorrectly perform permission checks when executing node blocks. On Jenkins instances using the Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. Despite this lack of permission, the node block is allowed to execute due to the flawed checks. [1][2]
Exploitation
An attacker with the ability to create or trigger a Pipeline job can include a node block targeting an agent for which the build's authentication does not have the Computer/Build permission. The incorrect permission validation in the plugin fails to prevent the execution, allowing the attacker to run builds on agents they are not authorized to use. [2]
Impact
Successful exploitation allows the attacker to execute Pipeline node blocks on agents where they lack the required permission. This can lead to unauthorized access to sensitive data, code execution on those agents, and potential lateral movement within the Jenkins environment. [1][2]
Mitigation
The vulnerability is fixed in Pipeline: Nodes and Processes plugin version 2.18 and later. Jenkins users should update the plugin to the latest version to enforce proper permission checks. No workaround is available. [2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins.workflow:workflow-durable-task-stepMaven | < 2.18 | 2.18 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-9r7f-rqhw-j8h8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000015ghsaADVISORY
- jenkins.io/security/advisory/2018-01-22ghsaWEB
- jenkins.io/security/advisory/2018-01-22/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.