XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to access the XPath Configuration Viewer page. Given appropriate XPath expressions, this page grants access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission.
CPE | Name | Operator | Version |
---|---|---|---|
org.jenkins-ci.plugins:xpath-config-viewer | le | 1.1.1 |