Описание
Missing permission check in Jenkins Conjur Secrets Plugin allows enumerating credentials IDs
Conjur Secrets Plugin 1.0.11 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
Пакеты
Наименование
org.conjur.jenkins:conjur-credentials
maven
Затронутые версииВерсия исправления
< 1.0.12
1.0.12
Связанные уязвимости
CVSS3: 4.3
nvd
почти 4 года назад
A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.