{"id":"CVE-2024-52549","details":"Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system.","aliases":["GHSA-jv82-75fh-23r7"],"modified":"2026-02-11T15:53:43.445543Z","published":"2024-11-13T21:15:29.233Z","related":["CGA-q5xm-83fm-g7c7"],"references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/script-security-plugin","events":[{"introduced":"0"},{"fixed":"4cf2dc5d8776b119e25d203abbe695fc618c5129"},{"introduced":"d44b49a5c85ce49ce5ea9fffb03e1f34f3804b4a"},{"fixed":"df2fc45f229c75a4ab8c88800bee49370462eb7b"}]}],"versions":["1366.vd44b_49a_5c85c"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52549.json","vanir_signatures":[{"source":"https://github.com/jenkinsci/script-security-plugin/commit/4cf2dc5d8776b119e25d203abbe695fc618c5129","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["193410768796351728727837844957838058436","308449359965148705106045089545175663024","70254606833208612478548142620525665098","145388454790940895567368335367892403959","31321161448093970395994335414378363678","312627828705634245046445452119695915922","68318486562706965078557680180936860408","20352715551907359143121437263126143571","90652348198020426199518007589717669421","101534678982371058730167491000974325178","152630884979021048180118070804443023465","105924225983465571160070043219025750091","256005176241261059819027871433164645265","219636036993808822974804566224973852703","268733109085444326595412406276556843127","292489530028342391509674792423830728461","131124704568120059738221446934279290012"]},"id":"CVE-2024-52549-0e0a8c4a","deprecated":false,"target":{"file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntryTest.java"},"signature_version":"v1"},{"source":"https://github.com/jenkinsci/script-security-plugin/commit/4cf2dc5d8776b119e25d203abbe695fc618c5129","signature_type":"Function","digest":{"length":469,"function_hash":"259207047481206575408060854090071958148"},"id":"CVE-2024-52549-25799be9","deprecated":false,"target":{"function":"doCheckPath","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java"},"signature_version":"v1"},{"source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["115990658712768387970246809154395868532","138186676522442842801574422223029159040","16726508723013188499162524662484829422","72085625145467891578345819093221342977","180932663159761635786772658322431584324","73620906761983200820242889826469696064","198647728397962202604970700199692099222","243398820114319998908652490873345731413"]},"id":"CVE-2024-52549-294b46e4","deprecated":false,"target":{"file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java"},"signature_version":"v1"},{"source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["298265654008938900139586682242761835059","303587941315548539570852169976695413163","76319504842640797098792906537605975876","7540902196679299518401904062414760912","216755525460860575574372774138002558995","293223426762218016099662457675975582593","116459599334184889173696816944066522699"]},"id":"CVE-2024-52549-2d981b70","deprecated":false,"target":{"file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java"},"signature_version":"v1"},{"source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["121401065745272691456616809290432105089","99936363009884750065822361300637807244","172018105309702121110937462130282164555","181079154230001530921029546761840148201","74513349661603546449462425540165311816","153442747822212526140513866453217909526","57219779169175303186725252468359239681","105124471788567763517570906078603911370","93259062579358952363566289665693448404","281932561138603240275824642854817483176","328643586658102199960297314873532001011","149272798313611667480993815337082537984","138288843478249037364598363937821730233"]},"id":"CVE-2024-52549-2fb85fad","deprecated":false,"target":{"file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java"},"signature_version":"v1"},{"source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_type":"Function","digest":{"length":1344,"function_hash":"188002348004619004866325142170773354096"},"id":"CVE-2024-52549-32900fb1","deprecated":false,"target":{"function":"checking","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"signature_version":"v1"},{"source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_type":"Function","digest":{"length":841,"function_hash":"78318377833623162319083426021434693671"},"id":"CVE-2024-52549-65b33ab0","deprecated":false,"target":{"function":"forceSandboxFormValidation","file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java"},"signature_version":"v1"},{"source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_type":"Function","digest":{"length":84,"function_hash":"261680094247190067394564486575379511082"},"id":"CVE-2024-52549-746ae4fc","deprecated":false,"target":{"function":"SecureGroovyScript","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java"},"signature_version":"v1"},{"source":"https://github.com/jenkinsci/script-security-plugin/commit/4cf2dc5d8776b119e25d203abbe695fc618c5129","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["24547975384074007603511287741408394634","235005261391228511367957503664577997348","169968529053850430407217217721100964666","328917981062353611706021529637738109754","157086698411370408145979854950384106838","208053156037906562936496021286795690056","147097497329705971013015164632204890555"]},"id":"CVE-2024-52549-786c6515","deprecated":false,"target":{"file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java"},"signature_version":"v1"},{"source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["16891613943620612653978312594482224495","298049473950118688869798983929592032603","79758890575670226786386453639940994600","75088921506804996324325156702303897976","307166972000958071940537280991130042706","5008135733829923149531728199062633833","89845335589148858983403311433725570392","65374015000272467200107067845940956311","172812549018666363085804745166099284071","229930563476338384423532964211594367796","325072502388188998019657649268129567841","46415241839535215826317488315243059981","179416388391728769889967166997326854743"]},"id":"CVE-2024-52549-7cbaab08","deprecated":false,"target":{"file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"signature_version":"v1"},{"source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_type":"Function","digest":{"length":150,"function_hash":"72819067873394351852238086679347781357"},"id":"CVE-2024-52549-a39d2273","deprecated":false,"target":{"function":"SecureGroovyScript","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java"},"signature_version":"v1"}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}