Lucene search

GitHub Advisory DatabaseGHSA-7J55-28QQ-676G

HistoryFeb 15, 2023 - 3:30 p.m.

Missing Authorization in Jenkins Azure Credentials Plugin

2023-02-1515:30:40

CWE-862

GitHub Advisory Database

github.com

jenkins

azure

credentials

plugin

version 253.v887e0f9e898b

security

vulnerability

attackers

enumeration

permissions

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

21.0%

JSON

A missing permission check in Jenkins Azure Credentials Plugin 253.v887e0f9e898b and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Affected configurations

Vulners

Node

org.jenkins-ci.plugins\Matchazure-keyvault

CPENameOperatorVersion
org.jenkins-ci.plugins:azure-credentialsle253.v887e0f9e898b

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:azure-credentials	le	253.v887e0f9e898b

References

www.openwall.com/lists/oss-security/2023/02/15/4

github.com/advisories/GHSA-7j55-28qq-676g

github.com/jenkinsci/azure-credentials-plugin/commit/64da8176c83a41bb83d3ad759628c9bd275b42f5

nvd.nist.gov/vuln/detail/CVE-2023-25766

www.jenkins.io/security/advisory/2023-02-15/#SECURITY-1757

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

21.0%

JSON

Related for GHSA-7J55-28QQ-676G