{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52554", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2024-11-12T15:28:28.980Z", "datePublished": "2024-11-13T20:53:03.613Z", "dateUpdated": "2024-11-13T21:36:03.550Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2024-11-13T20:53:03.613Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins Shared Library Version Override Plugin", "versions": [{"version": "0", "versionType": "maven", "lessThanOrEqual": "17.v786074c9fce7", "status": "affected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection."}], "references": [{"name": "Jenkins Security Advisory 2024-11-13", "url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3466", "tags": ["vendor-advisory"]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "CWE-862 Missing Authorization"}]}], "affected": [{"vendor": "jenkins", "product": "shared_library_version_override", "cpes": ["cpe:2.3:a:jenkins:shared_library_version_override:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "17.v786074c9fce7", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-13T21:21:30.496245Z", "id": "CVE-2024-52554", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T21:36:03.550Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-52554", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-13T21:21:30.496245Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jenkins:shared_library_version_override:*:*:*:*:*:*:*:*"], "vendor": "jenkins", "product": "shared_library_version_override", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "17.v786074c9fce7"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T21:31:27.091Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins Shared Library Version Override Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "17.v786074c9fce7"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3466", "name": "Jenkins Security Advisory 2024-11-13", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2024-11-13T20:53:03.613Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52554", "state": "PUBLISHED", "dateUpdated": "2024-11-13T21:36:03.550Z", "dateReserved": "2024-11-12T15:28:28.980Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2024-11-13T20:53:03.613Z", "assignerShortName": "jenkins"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:shared_library_version_override:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "1F157EB3-F633-4DCB-B2E1-CC7B390AD269", "versionEndIncluding": "17.v786074c9fce7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection."}, {"lang": "es", "value": "El complemento de anulaci\u00f3n de versi\u00f3n de librer\u00eda compartida de Jenkins 17.v786074c9fce7 y versiones anteriores declara que las anulaciones de librer\u00eda con \u00e1mbito de carpeta son confiables, de modo que no se ejecutan en el entorno aislado de seguridad de script, lo que permite a los atacantes con permiso de Elemento/Configurar en una carpeta configurar una anulaci\u00f3n de librer\u00eda con \u00e1mbito de carpeta que se ejecuta sin protecci\u00f3n de entorno aislado."}], "id": "CVE-2024-52554", "lastModified": "2025-10-03T00:56:06.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-13T21:15:29.540", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3466"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}