CVE-2024-52549
Description
Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-52549: A missing permission check in Jenkins Script Security Plugin allows attackers with Overall/Read to probe for file existence on the controller file system.
Overview
CVE-2024-52549 is a medium-severity vulnerability in the Jenkins Script Security Plugin, versions 1367.vdf2fc45f229c and earlier (excluding the patched releases 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776). The plugin fails to perform a required permission check in a method that handles form validation. [2]
Exploitation
An attacker with only Overall/Read permission — the lowest access level in Jenkins — can exploit this flaw by invoking the affected form validation method. No additional authentication or privileges are needed beyond that read-level access. Since the method does not enforce the expected Overall/Administer permission, the attacker can send crafted requests to the Jenkins controller. [1][2]
Impact
Successful exploitation allows the attacker to check for the existence of arbitrary files on the Jenkins controller's file system. While this is a file-existence oracle and does not directly expose file contents, it can be used to map the file system, identify the presence of sensitive files (e.g., credentials, configuration files, or custom scripts), and potentially aid in further attacks. [2][3]
Remediation
The plugin version 1368.vb_b_402e3547e7 resolves the issue by requiring the Overall/Administer permission for the affected form validation method. Jenkins administrators should update the Script Security Plugin to this version or later immediately. No workarounds are documented, and the vendor advisory recommends the upgrade as the sole mitigation. [2]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1368.vb | 1368.vb |
Affected products
11- osv-coords10 versionspkg:apk/chainguard/jenkinspkg:apk/chainguard/jenkins-2.462pkg:apk/chainguard/jenkins-2.479pkg:apk/chainguard/jenkins-2.479-compatpkg:apk/chainguard/jenkins-2.479-remotingpkg:apk/wolfi/jenkinspkg:apk/wolfi/jenkins-2.479pkg:apk/wolfi/jenkins-2.479-compatpkg:apk/wolfi/jenkins-2.479-remotingpkg:maven/org.jenkins-ci.plugins/script-security
< 2.487-r0+ 9 more
- (no CPE)range: < 2.487-r0
- (no CPE)range: < 2.462.3-r3
- (no CPE)range: < 2.479.1-r2
- (no CPE)range: < 2.479.1-r2
- (no CPE)range: < 2.479.1-r2
- (no CPE)range: < 2.487-r0
- (no CPE)range: < 2.479.1-r2
- (no CPE)range: < 2.479.1-r2
- (no CPE)range: < 2.479.1-r2
- (no CPE)range: < 1368.vb
- Jenkins Project/Jenkins Script Security Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-jv82-75fh-23r7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52549ghsaADVISORY
- www.jenkins.io/security/advisory/2024-11-13/ghsavendor-advisoryWEB
News mentions
1- Jenkins Security Advisory 2024-11-13Jenkins Security Advisories · Nov 13, 2024