Описание
Jenkins Job Import Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins
Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. An enumeration of credentials IDs in Job Import Plugin 3.6 requires Job Import/Import Jobs permission.
Пакеты
Наименование
org.jenkins-ci.plugins:job-import-plugin
maven
Затронутые версииВерсия исправления
<= 3.5
3.6
Связанные уязвимости
CVSS3: 4.3
nvd
больше 3 лет назад
Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.