GHSA-vw64-g7c6-mm7g

Опубликовано: 25 окт. 2023

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Jenkins lambdatest-automation Plugin missing permission check

Jenkins lambdatest-automation Plugin 1.20.9 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in lambdatest-automation Plugin 1.20.10 requires Overall/Administer permission.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:lambdatest-automation

maven

Затронутые версииВерсия исправления

< 1.20.10

1.20.10

EPSS

Процентиль: 16%

0.00052

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2023-46652

Дефекты

CWE-862

Связанные уязвимости

CVE-2023-46652

CVSS3: 4.3

nvd

больше 2 лет назад

A missing permission check in Jenkins lambdatest-automation Plugin 1.20.9 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins.

EPSS

Процентиль: 16%

0.00052

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2023-46652

Дефекты

CWE-862