Job and Node ownership Plugin 0.13.0 and earlier does not perform a permission check in several HTTP endpoints. This allows attackers with Item/Read permission to change the owners and item-specific permissions of a job. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Affected Packages

Maven com.synopsys.jenkinsci:ownership

Affected versions: 0 (last affected: 0.13.0)

Related CVEs

CVE-2022-28150

Key Information

GHSA ID

GHSA-85f9-w9cx-h363

Published

March 30, 2022 12:00 AM

Last Modified

October 27, 2023 5:17 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

com.synopsys.jenkinsci:ownership

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.