{"id":"CVE-2024-52550","details":"Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved.","aliases":["GHSA-mrpr-vr82-x88r"],"modified":"2026-04-12T09:00:29.532965Z","published":"2024-11-13T21:15:29.293Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/workflow-cps-plugin","events":[{"introduced":"0"},{"fixed":"478dd9e956c3efd5a4caeb2853ed90fe6b43bb54"},{"introduced":"0"},{"last_affected":"d281dd77a3888080d8e4bedd61432fbd362a05b7"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3975.3977.v478dd9e956c3"},{"introduced":"0"},{"last_affected":"3990.vd281dd77a_388"}]}}],"versions":["2633.v6baeedc13805","2640.v00e79c8113de","2644.v29a793dac95a","2646.v6ed3b5b01ff1","2648.va9433432b33c","2656.vf7a_e7b_75a_457","2659.v52d3de6044d0","2660.vb_c0412dc4e6d","2680.vf642ed4fa_d55","2682.va_473dcddc941","2683.vd0a_8f6a_1c263","2686.v7c37e0578401","2687.v3f09155513c1","2688.v39a_b_e5c49a_65","2689.v434009a_31b_f1","2692.v76b_089ccd026","2705.v0449852ee36f","2706.v71dd22b_c5a_a_2","2710.vcd48b_b_9e0e7d","2725.v7b_c717eb_12ce","2729.vea_17b_79ed57a_","2746.v0da_83a_332669","2759.v87459c4eea_ca_","2784.vd252824b_4eb_9","2801.vf82a_b_b_e3e8a_5","2802.v5ea_628154b_c2","3520.va_8fc49e2f96f","3536.vb_8a_6628079d5","3565.v4b_d9b_8c29a_b_3","3581.v2b_e4c99c76ed","3583.v4f58de0d78d5","3601.v9b_36a_d99e1cc","3606.v0b_d8b_e512dcf","3611.v201b_d9f9eb_f7","3616.vb_2e7168f4b_0c","3618.v13db_a_21f0fcf","3624.v43b_a_38b_62b_b_7","3626.v4eb_a_7d8b_2fa_4","3629.v8177e69e359a_","3635.vedb_8602eefa_c","3637.v63b_c17e0ed5b_","3641.vf58904a_b_b_5d8","3651.ve2e99a_4f4a_e5","3653.v07ea_433c90b_4","3659.v582dc37621d8","3668.v1763b_b_6ccffd","3673.v5b_dd74276262","3691.v28b_14c465a_b_b_","3693.vd5c06270e4dc","3697.vb_470e454c232","3705.va_6a_c2775a_c17","3713.vd671d4321509","3717.va_180a_fe9d3cd","3722.v85ce2a_c6240b_","3726.v83f8cff396c9","3728.vd5c88eef9154","3731.ve4b_5b_857b_a_d3","3732.vb_77c00a_57e12","3740.v6d35b_4ed5f9f","3744.v6f2c0fe0e54d","3767.vdd3e0a_65b_ef3","3769.v8b_e595e4d40d","3773.v505e0052522c","3774.v4a_d648d409ce","3785.vee73da_b_9544e","3787.v8f5dcd14a_fa_c","3791.va_c0338ea_b_59c","3793.v65dec41c3a_c3","3802.vd42b_fcf00b_a_c","3805.v769b_b_74b_db_14","3806.va_3a_6988277b_2","3812.vc3031a_b_a_c955","3817.vd20b_7e2b_692b_","3821.v9d3888c583b_1","3826.v3b_5707fe44da_","3832.vc43e04d6d68c","3835.vc2a_8f9167e92","3837.v305192405b_c0","3853.vb_a_490d892963","3859.v7f65cc865019","3867.v535458ce43fd","3880.vb_ef4b_5cfd270","3883.vb_3ff2a_e3eea_f","3889.v937e0b_3412d3","3894.vd0f0248b_a_fc4","3903.v48a_8836749e9","3908.vd6b_b_5a_a_54010","3922.va_f73b_7c4246b_","3943.v3519a_3260660","3946.v7935cb_edb_f82","3953.v19f11da_8d2fa_","3961.ve48ee2c44a_b_3","3964.v0767b_4b_a_0b_fa_","3969.vdc9d3a_efcc6a_","3975.v567e2a_1ffa_22","3990.vd281dd77a_388","workflow-cps-2.0","workflow-cps-2.1","workflow-cps-2.10","workflow-cps-2.11","workflow-cps-2.12","workflow-cps-2.13","workflow-cps-2.14","workflow-cps-2.15","workflow-cps-2.16","workflow-cps-2.17","workflow-cps-2.18","workflow-cps-2.19","workflow-cps-2.2","workflow-cps-2.20","workflow-cps-2.21","workflow-cps-2.22","workflow-cps-2.23","workflow-cps-2.24","workflow-cps-2.25","workflow-cps-2.26","workflow-cps-2.27","workflow-cps-2.28","workflow-cps-2.29","workflow-cps-2.3","workflow-cps-2.30","workflow-cps-2.31","workflow-cps-2.32","workflow-cps-2.33","workflow-cps-2.34","workflow-cps-2.35","workflow-cps-2.36","workflow-cps-2.39","workflow-cps-2.4","workflow-cps-2.40","workflow-cps-2.41","workflow-cps-2.42","workflow-cps-2.43","workflow-cps-2.44","workflow-cps-2.45","workflow-cps-2.46","workflow-cps-2.47","workflow-cps-2.48","workflow-cps-2.49","workflow-cps-2.5","workflow-cps-2.50","workflow-cps-2.51","workflow-cps-2.52","workflow-cps-2.53","workflow-cps-2.54","workflow-cps-2.55","workflow-cps-2.56","workflow-cps-2.57","workflow-cps-2.58","workflow-cps-2.58-beta-1","workflow-cps-2.59","workflow-cps-2.6","workflow-cps-2.60","workflow-cps-2.61","workflow-cps-2.62","workflow-cps-2.63","workflow-cps-2.64","workflow-cps-2.65","workflow-cps-2.66","workflow-cps-2.67","workflow-cps-2.68","workflow-cps-2.69","workflow-cps-2.7","workflow-cps-2.70","workflow-cps-2.71","workflow-cps-2.72","workflow-cps-2.73","workflow-cps-2.74","workflow-cps-2.75","workflow-cps-2.76","workflow-cps-2.77","workflow-cps-2.78","workflow-cps-2.79","workflow-cps-2.8","workflow-cps-2.80","workflow-cps-2.81","workflow-cps-2.82","workflow-cps-2.83","workflow-cps-2.84","workflow-cps-2.85","workflow-cps-2.86","workflow-cps-2.87","workflow-cps-2.88","workflow-cps-2.89","workflow-cps-2.9","workflow-cps-2.90","workflow-cps-2.91","workflow-cps-2.92","workflow-cps-2.93","workflow-cps-2.94"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52550.json","vanir_signatures":[{"source":"https://github.com/jenkinsci/workflow-cps-plugin/commit/478dd9e956c3efd5a4caeb2853ed90fe6b43bb54","signature_type":"Line","deprecated":false,"signature_version":"v1","id":"CVE-2024-52550-9ac2d56b","target":{"file":"plugin/src/test/java/org/jenkinsci/plugins/workflow/cps/replay/ReplayActionTest.java"},"digest":{"threshold":0.9,"line_hashes":["241503016963334275481389061690319949662","165757167630658055129947342080067659295","286513685338667409456784370997701928814","203733056658760244223435409289595497667","234482627059449368060216991215284767641","339730782246751231016932725286971289569","7705090758047436668618646354031059319","301061411071208110310997100268446788023","51048813938629713974961881592460392943","244125084856819352952595829882912148068"]}},{"source":"https://github.com/jenkinsci/workflow-cps-plugin/commit/478dd9e956c3efd5a4caeb2853ed90fe6b43bb54","signature_type":"Line","deprecated":false,"signature_version":"v1","id":"CVE-2024-52550-c5fcb088","target":{"file":"plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/replay/ReplayAction.java"},"digest":{"threshold":0.9,"line_hashes":["83041952917922266203024200370135336750","129712432041274682841705936128085853368","3938606992791905801160725765869850681","196235185447533311549412594174366816794","233740712330939138948298888100925478104","133467005256878408354088993576597979729","224355069306776122284243793723485461500","298253613115526799810558994502780001870","225977230873410712923895708561969759186","233396788178087836851242354795166301061","90166536317726077285449880233981975310","336084547348892633330981263009356616334","113556496872949030179319530562217439635","335620477376328046298266635668971633096","256982650391417025987635503169422350566","177009762124131519634084263018198573103","54201665649222240105036165582305867480","85826229756235537035973519111186025936","335515362948368738309543116286405408511","208642428923002922237546792075531712645","2158000543856184304639671306502529598","115716369245171271019606619035938386017","33109444102234179430539019746189633170","86313051956754389006487119810766118438","231926552366293500366854104698072490287","213411598120264982461481833548123873461","177546532560139467087083172531985899716","301782597341187263567205537392096233986"]}},{"source":"https://github.com/jenkinsci/workflow-cps-plugin/commit/478dd9e956c3efd5a4caeb2853ed90fe6b43bb54","signature_type":"Function","deprecated":false,"signature_version":"v1","id":"CVE-2024-52550-eeab264a","target":{"file":"plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/replay/ReplayPipelineCommand.java","function":"run"},"digest":{"length":840,"function_hash":"59319320517719721185119363905614154092"}},{"source":"https://github.com/jenkinsci/workflow-cps-plugin/commit/478dd9e956c3efd5a4caeb2853ed90fe6b43bb54","signature_type":"Line","deprecated":false,"signature_version":"v1","id":"CVE-2024-52550-fac0f363","target":{"file":"plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/replay/ReplayPipelineCommand.java"},"digest":{"threshold":0.9,"line_hashes":["92995303549175838372005553951101507244","193044022111519314436425534492459383746","30729990340606279602709218203110056685","18599781497409357756919095055110567482","264590375625122311429334805475445146406","321752122521489627948427044057316136651","143374159257491922063220984367705992991","329516254398014318127342528907538059859","265488095473441348182946717389315786464","38285656636411351812630567357903927733","19345548465350307123411669397860989380","183131913060398404704743419823315360750","326086981466240870288374699483261246395","74287046045302187215385488445592981688","69228934400659891121193882656454853710","53621611776729759629382672391160474373","90775114287351915572880210723870621703","265109696668203799462771906903255334999"]}},{"source":"https://github.com/jenkinsci/workflow-cps-plugin/commit/478dd9e956c3efd5a4caeb2853ed90fe6b43bb54","signature_type":"Function","deprecated":false,"signature_version":"v1","id":"CVE-2024-52550-fb25eead","target":{"file":"plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/replay/ReplayAction.java","function":"run2"},"digest":{"length":654,"function_hash":"99162987428561518317895903366520527661"}}],"vanir_signatures_modified":"2026-04-12T09:00:29Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}