Lucene search

K
githubGitHub Advisory DatabaseGHSA-4CMQ-88F8-53R5
HistoryMay 24, 2022 - 4:58 p.m.

Jenkins CRX Content Package Deployer Plugin subject to credentials enumeration via Missing Authorization

2022-05-2416:58:49
CWE-285
CWE-862
GitHub Advisory Database
github.com
13

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

22.0%

A missing permission check in Jenkins CRX Content Package Deployer Plugin prior to version 1.9 in various โ€˜doFillCredentialsIdItemsโ€™ methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. This issue is patched in version 1.9.

Affected configurations

Vulners
Node
github_advisory_databaseorg.jenkins-ci.plugins\Matchcrx-content-package-deployer

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

22.0%

Related for GHSA-4CMQ-88F8-53R5