Exposure of Sensitive Information to an Unauthorized Actor in Jenkins SSH Credentials Plugin

2022-05-1403:07:03

Google

osv.dev

0.001 Low

EPSS

Percentile

28.4%

JSON

A arbitrary file read vulnerability exists in Jenkins SSH Credentials Plugin 1.13 and earlier in BasicSSHUserPrivateKey.java that allows attackers with a Jenkins account and the permission to configure credential bindings to read arbitrary files from the Jenkins master file system.

CPENameOperatorVersion
org.jenkins-ci.plugins:credentialseq1.26
org.jenkins-ci.plugins:credentialseq1.16.1
org.jenkins-ci.plugins:credentialseq1.8.1
org.jenkins-ci.plugins:credentialseq1.6
org.jenkins-ci.plugins:credentialseq2.1.12
org.jenkins-ci.plugins:credentialseq2.1.2
org.jenkins-ci.plugins:credentialseq2.1.15
org.jenkins-ci.plugins:credentialseq2.1.9
org.jenkins-ci.plugins:credentialseq1.18
org.jenkins-ci.plugins:credentialseq1.7.2

Name	Operator	Version
org.jenkins-ci.plugins:credentials	eq	1.26
org.jenkins-ci.plugins:credentials	eq	1.16.1
org.jenkins-ci.plugins:credentials	eq	1.8.1
org.jenkins-ci.plugins:credentials	eq	1.6
org.jenkins-ci.plugins:credentials	eq	2.1.12
org.jenkins-ci.plugins:credentials	eq	2.1.2
org.jenkins-ci.plugins:credentials	eq	2.1.15
org.jenkins-ci.plugins:credentials	eq	2.1.9
org.jenkins-ci.plugins:credentials	eq	1.18
org.jenkins-ci.plugins:credentials	eq	1.7.2