Описание
Jenkins Thycotic Secret Server Plugin missing permissions check
Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
Пакеты
Наименование
io.jenkins.plugins:thycotic-secret-server
maven
Затронутые версииВерсия исправления
<= 1.0.2
Отсутствует
Связанные уязвимости
CVSS3: 4.3
nvd
почти 3 года назад
A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.