Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following: Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission (getJobScm). Attackers with Item/Read permission can trigger new builds of a job despite lacking Item/Build permission (triggerBuild). Attackers without Overall/Read permission can retrieve the names of configured clouds (getStatus). …