First published: Wed May 06 2020(Updated: )
Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks when determining whether a build can copy artifacts from another project build. This allows attackers, usually with Job/Configure permission, to configure jobs to copy artifacts from jobs they have no permission to access. Copy Artifact Plugin 1.44 now properly performs permission checks when copying artifacts. When updating the plugin from a previous version, the previous behavior is retained (\"Migration mode\"). To enable the additional protections, switch to the new \"Production mode\". Doing so may cause existing jobs to fail to copy artifacts. For more information see the [plugin documentation](https://github.com/jenkinsci/copyartifact-plugin).
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Copy Artifact | <=1.43.1 | |
maven/org.jenkins-ci.plugins:copyartifact | <=1.43.1 | 1.44 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.