CVE-2017-1000084 — Parameterized Trigger Plugin fails to check Item/Build permission

Description

Parameterized Trigger Plugin fails to check Item/Build permission: The Parameterized Trigger Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins. The plugin has been adapted to now check for Item/Build permission before triggering a downstream build.

How to fix CVE-2017-1000084

To remediate CVE-2017-1000084, upgrade the affected package to a fixed version below.

—upgrade to 2.35.1 or later

Is CVE-2017-1000084 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.35.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-1000084
PATCHgithub.com/jenkinsci/parameterized-trigger-plugin
WEBgithub.com/fbelzunc/parameterized-trigger-plugin/commit/345d54f8f031bef68ecb6fd4e7eee0be720162e4
WEBgithub.com/jenkinsci/parameterized-trigger-plugin/pull/114