Advisories for Maven/Io.jenkins.plugins/Folder-Auth package

2025

Disabled permissions can be granted by Folder-based in Jenkins Authorization Strategy Plugin

Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.

2022

Stored Cross-site Scripting in folder-auth plugin

Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission. Folder-based Authorization Strategy Plugin 1.4 escapes the names of roles shown on the configuration form. See https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2646

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in io.jenkins.plugins:folder-auth.

Duplicate Advisory: Stored Cross-site Scripting vulnerability in Jenkins Folder-based Authorization Strategy Plugin

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5vjc-qx43-r747. This link is maintained to preserve external references. Original Description Jenkins Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.