GHSA-gqm2-2gcx-p88w

Опубликовано: 13 янв. 2022

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Incorrect Permission Assignment for Critical Resource in Jenkins Credentials Binding Plugin

Jenkins Credentials Binding Plugin prior to 1.27.1 and 1.24.1 does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.

Credentials Binding Plugin 1.27.1 and 1.24.1 performs permission checks when validating secret file credentials IDs.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:credentials-binding

maven

Затронутые версииВерсия исправления

>= 1.25, < 1.27.1

1.27.1

Наименование

org.jenkins-ci.plugins:credentials-binding

maven

Затронутые версииВерсия исправления

< 1.24.1

1.24.1

EPSS

Процентиль: 8%

0.00029

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2022-20616

Дефекты

CWE-732

CWE-862

Связанные уязвимости

CVE-2022-20616

CVSS3: 4.3

redhat

около 4 лет назад

Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.

CVE-2022-20616

CVSS3: 4.3

nvd

около 4 лет назад

EPSS

Процентиль: 8%

0.00029

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2022-20616

Дефекты

CWE-732

CWE-862