Jenkins global-build-stats Plugin missing permission check can result in graph IDs being enumerated
Moderate severity
GitHub Reviewed
Published
Sep 3, 2025
to the GitHub Advisory Database
•
Updated Sep 3, 2025
Package
Affected versions
< 347.v32a
Patched versions
347.v32a
Description
Published by the National Vulnerability Database
Sep 3, 2025
Published to the GitHub Advisory Database
Sep 3, 2025
Reviewed
Sep 3, 2025
Last updated
Sep 3, 2025
Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs.
This has been patched in version 347.v32a_eb_0493c4f.
References