Описание
Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.
Ссылки
- Third Party Advisory
- Vendor Advisory
- Third Party Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.28 (включая)
cpe:2.3:a:jenkins:cloudbees_aws_credentials:*:*:*:*:*:jenkins:*:*
EPSS
Процентиль: 8%
0.00031
Низкий
4.3 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-862
Связанные уязвимости
CVSS3: 4.3
github
больше 3 лет назад
Missing permission checks in Jenkins CloudBees AWS Credentials Plugin allows enumerating credentials IDs
EPSS
Процентиль: 8%
0.00031
Низкий
4.3 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-862