Описание
Missing Authorization in Jenkins XPath Configuration Viewer Plugin
XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to access the XPath Configuration Viewer page. Given appropriate XPath expressions, this page grants access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission.
Пакеты
org.jenkins-ci.plugins:xpath-config-viewer
<= 1.1.1
Отсутствует
Связанные уязвимости
A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to access the XPath Configuration Viewer page.