Описание
Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.
Ссылки
- Mailing ListThird Party Advisory
- Vendor Advisory
- Mailing ListThird Party Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 3.7.0 (включая)
cpe:2.3:a:jenkins:config_file_provider:*:*:*:*:*:jenkins:*:*
EPSS
Процентиль: 74%
0.00832
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
Связанные уязвимости
CVSS3: 4.3
redhat
почти 5 лет назад
Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.
CVSS3: 6.5
github
больше 3 лет назад
Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs
EPSS
Процентиль: 74%
0.00832
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2