{"id":"CVE-2024-52549","details":"Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system.","aliases":["GHSA-jv82-75fh-23r7"],"modified":"2026-04-12T08:40:52.315783Z","published":"2024-11-13T21:15:29.233Z","related":["CGA-q5xm-83fm-g7c7"],"references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/script-security-plugin","events":[{"introduced":"0"},{"fixed":"4cf2dc5d8776b119e25d203abbe695fc618c5129"},{"introduced":"d44b49a5c85ce49ce5ea9fffb03e1f34f3804b4a"},{"fixed":"df2fc45f229c75a4ab8c88800bee49370462eb7b"},{"introduced":"0"},{"last_affected":"4778ca84bde5981deaea798db9d174bf0b93a7b0"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1362.1364.v4cf2dc5d8776"},{"introduced":"1366.vd44b_49a_5c85c"},{"fixed":"1367.vdf2fc45f229c"},{"introduced":"0"},{"last_affected":"1365.v4778ca_84b_de5"}]}}],"versions":["1118.vba21ca2e3286","1125.v132f99385e1b_","1131.v8b_b_5eda_c328e","1138.v8e727069a_025","1140.vf967fb_efa_55a_","1145.vb_cf6cf6ed960","1146.vdf547f19a_473","1158.v7c1b_73a_69a_08","1172.v35f6a_0b_8207e","1175.v4b_d517d6db_f0","1183.v774b_0b_0a_a_451","1184.v85d16b_d851b_3","1189.vb_a_b_7c8fd5fde","1190.v65867a_a_47126","1209.v50b_005db_19db","1218.v39ca_7f7ed0a_c","1228.vd93135a_2fb_25","1229.v4880b_b_e905a_6","1244.ve463715a_f89c","1251.vfe552ed55f8d","1264.vecf66020eb_7d","1265.va_fb_290b_4b_d34","1269.v639888f5e366","1271.vdede89739a_81","1273.v66c1964f0dfd","1274.v2b_33362a_f2f5","1275.v23895f409fb_d","1281.v22fb_899df1a_e","1294.v99333c047434","1301.v0079b_cd0cdfa_","1305.v487433146192","1310.vf24a_dfce068b_","1313.v7a_6067dc7087","1321.va_73c0795b_923","1326.vdb_c154de8669","1335.vf07d9ce377a_e","1336.vf33a_a_9863911","1341.va_2819b_414686","1354.va_70a_fe478c7f","1358.vb_26663c13537","1361.v913100720139","1362.v67dc1f0e1b_b_3","1365.v4778ca_84b_de5","1366.vd44b_49a_5c85c","script-security-1.0","script-security-1.0-beta-1","script-security-1.0-beta-2","script-security-1.0-beta-3","script-security-1.0-beta-4","script-security-1.0-beta-5","script-security-1.0-beta-6","script-security-1.1","script-security-1.10","script-security-1.11","script-security-1.12","script-security-1.13","script-security-1.14","script-security-1.15","script-security-1.16","script-security-1.17","script-security-1.18","script-security-1.19","script-security-1.2","script-security-1.20","script-security-1.21","script-security-1.22","script-security-1.23","script-security-1.24","script-security-1.25","script-security-1.26","script-security-1.27","script-security-1.28","script-security-1.29","script-security-1.3","script-security-1.30","script-security-1.31","script-security-1.32","script-security-1.33","script-security-1.34","script-security-1.35","script-security-1.36","script-security-1.37","script-security-1.38","script-security-1.39","script-security-1.4","script-security-1.40","script-security-1.41","script-security-1.42","script-security-1.43","script-security-1.44","script-security-1.45","script-security-1.46","script-security-1.47","script-security-1.48","script-security-1.49","script-security-1.5","script-security-1.50","script-security-1.51","script-security-1.52","script-security-1.53","script-security-1.54","script-security-1.55","script-security-1.56","script-security-1.57","script-security-1.58","script-security-1.59","script-security-1.6","script-security-1.60","script-security-1.61","script-security-1.62","script-security-1.63","script-security-1.64","script-security-1.65","script-security-1.66","script-security-1.67","script-security-1.68","script-security-1.69","script-security-1.7","script-security-1.70","script-security-1.71","script-security-1.72","script-security-1.73","script-security-1.74","script-security-1.75","script-security-1.76","script-security-1.77","script-security-1.78","script-security-1.8","script-security-1.9"],"database_specific":{"vanir_signatures_modified":"2026-04-12T08:40:52Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52549.json","vanir_signatures":[{"id":"CVE-2024-52549-0e0a8c4a","signature_type":"Line","source":"https://github.com/jenkinsci/script-security-plugin/commit/4cf2dc5d8776b119e25d203abbe695fc618c5129","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["193410768796351728727837844957838058436","308449359965148705106045089545175663024","70254606833208612478548142620525665098","145388454790940895567368335367892403959","31321161448093970395994335414378363678","312627828705634245046445452119695915922","68318486562706965078557680180936860408","20352715551907359143121437263126143571","90652348198020426199518007589717669421","101534678982371058730167491000974325178","152630884979021048180118070804443023465","105924225983465571160070043219025750091","256005176241261059819027871433164645265","219636036993808822974804566224973852703","268733109085444326595412406276556843127","292489530028342391509674792423830728461","131124704568120059738221446934279290012"]},"deprecated":false,"target":{"file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntryTest.java"}},{"id":"CVE-2024-52549-25799be9","signature_type":"Function","source":"https://github.com/jenkinsci/script-security-plugin/commit/4cf2dc5d8776b119e25d203abbe695fc618c5129","signature_version":"v1","digest":{"function_hash":"259207047481206575408060854090071958148","length":469},"deprecated":false,"target":{"function":"doCheckPath","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java"}},{"id":"CVE-2024-52549-294b46e4","signature_type":"Line","source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["115990658712768387970246809154395868532","138186676522442842801574422223029159040","16726508723013188499162524662484829422","72085625145467891578345819093221342977","180932663159761635786772658322431584324","73620906761983200820242889826469696064","198647728397962202604970700199692099222","243398820114319998908652490873345731413"]},"deprecated":false,"target":{"file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java"}},{"id":"CVE-2024-52549-2d981b70","signature_type":"Line","source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["298265654008938900139586682242761835059","303587941315548539570852169976695413163","76319504842640797098792906537605975876","7540902196679299518401904062414760912","216755525460860575574372774138002558995","293223426762218016099662457675975582593","116459599334184889173696816944066522699"]},"deprecated":false,"target":{"file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java"}},{"id":"CVE-2024-52549-2fb85fad","signature_type":"Line","source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["121401065745272691456616809290432105089","99936363009884750065822361300637807244","172018105309702121110937462130282164555","181079154230001530921029546761840148201","74513349661603546449462425540165311816","153442747822212526140513866453217909526","57219779169175303186725252468359239681","105124471788567763517570906078603911370","93259062579358952363566289665693448404","281932561138603240275824642854817483176","328643586658102199960297314873532001011","149272798313611667480993815337082537984","138288843478249037364598363937821730233"]},"deprecated":false,"target":{"file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java"}},{"id":"CVE-2024-52549-32900fb1","signature_type":"Function","source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_version":"v1","digest":{"function_hash":"188002348004619004866325142170773354096","length":1344},"deprecated":false,"target":{"function":"checking","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"}},{"id":"CVE-2024-52549-65b33ab0","signature_type":"Function","source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_version":"v1","digest":{"function_hash":"78318377833623162319083426021434693671","length":841},"deprecated":false,"target":{"function":"forceSandboxFormValidation","file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java"}},{"id":"CVE-2024-52549-746ae4fc","signature_type":"Function","source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_version":"v1","digest":{"function_hash":"261680094247190067394564486575379511082","length":84},"deprecated":false,"target":{"function":"SecureGroovyScript","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java"}},{"id":"CVE-2024-52549-786c6515","signature_type":"Line","source":"https://github.com/jenkinsci/script-security-plugin/commit/4cf2dc5d8776b119e25d203abbe695fc618c5129","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["24547975384074007603511287741408394634","235005261391228511367957503664577997348","169968529053850430407217217721100964666","328917981062353611706021529637738109754","157086698411370408145979854950384106838","208053156037906562936496021286795690056","147097497329705971013015164632204890555"]},"deprecated":false,"target":{"file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ClasspathEntry.java"}},{"id":"CVE-2024-52549-7cbaab08","signature_type":"Line","source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["16891613943620612653978312594482224495","298049473950118688869798983929592032603","79758890575670226786386453639940994600","75088921506804996324325156702303897976","307166972000958071940537280991130042706","5008135733829923149531728199062633833","89845335589148858983403311433725570392","65374015000272467200107067845940956311","172812549018666363085804745166099284071","229930563476338384423532964211594367796","325072502388188998019657649268129567841","46415241839535215826317488315243059981","179416388391728769889967166997326854743"]},"deprecated":false,"target":{"file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"}},{"id":"CVE-2024-52549-a39d2273","signature_type":"Function","source":"https://github.com/jenkinsci/script-security-plugin/commit/df2fc45f229c75a4ab8c88800bee49370462eb7b","signature_version":"v1","digest":{"function_hash":"72819067873394351852238086679347781357","length":150},"deprecated":false,"target":{"function":"SecureGroovyScript","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}