Lucene search

GoogleOSV:GHSA-3M8W-442M-3P2Q

HistoryMay 24, 2022 - 10:00 p.m.

Jenkins Artifactory Plugin missing permission check

2022-05-2422:00:02

Google

osv.dev

jenkins

artifactory plugin

permission check

AI Score

6.6

Confidence

High

EPSS

0.005

Percentile

77.6%

JSON

Jenkins Artifactory Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, no release containing a fix is available.

References

www.openwall.com/lists/oss-security/2019/05/31/2

jenkins.io/security/advisory/2019-05-31/#SECURITY-1015%20(2)

nvd.nist.gov/vuln/detail/CVE-2019-10323

web.archive.org/web/20200227054747/www.securityfocus.com/bid/108540

www.talosintelligence.com/vulnerability_reports/TALOS-2019-0846