Volerion logoVolerion
Volerion logoVolerion

Jenkins Script Security Plugin Missing Permission Check Vulnerability Allowing Classpath Enumeration

Vulnerability

A vulnerability exists in the Jenkins Script Security Plugin in versions through 1399.ve6a_66547f6e1, where a missing permission check allows users with Overall/Read permission to enumerate both pending and approved Script Security classpaths. This issue arises because the plugin does not properly validate permissions in an HTTP endpoint, enabling unauthorized access to sensitive classpath information.

Impact

Exploitation of this vulnerability could lead to unauthorized enumeration of Script Security classpaths, potentially allowing attackers to manipulate or interfere with script approvals and classpath configurations.

Remediation

Users of the Script Security Plugin should update to version 1402.v94c9ce464861, which addresses this vulnerability by requiring Overall/Administer permission to enumerate Script Security classpaths.

Added: Apr 29, 2026, 2:31 PM
Updated: Apr 29, 2026, 2:31 PM

Vulnerability Rating

Custom Algorithm
spread
6.2
impact
0.6
exploitability
5.2
remediation
7.9
relevance
7.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.