GHSA-qf4p-7gqc-x6jx

Опубликовано: 28 июл. 2022

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Jenkins Compuware Topaz Utilities Plugin is missing authorization

Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be used as part of an attack to capture the credentials using another vulnerability.

Compuware Topaz Utilities Plugin 1.0.9 requires the appropriate permissions to enumerate hosts and ports of Compuware configurations and credentials IDs.

Ссылки

Пакеты

Наименование

com.compuware.jenkins:compuware-topaz-utilities

maven

Затронутые версииВерсия исправления

<= 1.0.8

1.0.9

EPSS

Процентиль: 52%

0.00292

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2022-36895

Дефекты

CWE-862

Связанные уязвимости

CVE-2022-36895

CVSS3: 4.3

nvd

больше 3 лет назад

A missing permission check in Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins.

BDU:2022-04875

CVSS3: 4.3

fstec

больше 3 лет назад

Уязвимость плагина Jenkins Compuware Topaz Utilities Plugin, связанная с недостатками процедуры авторизации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 52%

0.00292

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2022-36895

Дефекты

CWE-862