Incorrect Permission Assignment for Critical Resource in Jenkins Credentials Binding Plugin

2022-01-1300:01:03

Google

osv.dev

0.001 Low

EPSS

Percentile

22.0%

JSON

Jenkins Credentials Binding Plugin prior to 1.27.1 and 1.24.1 does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.

Credentials Binding Plugin 1.27.1 and 1.24.1 performs permission checks when validating secret file credentials IDs.

CPENameOperatorVersion
org.jenkins-ci.plugins:credentialseq1.1
org.jenkins-ci.plugins:credentialseq1.26
org.jenkins-ci.plugins:credentialseq1.11
org.jenkins-ci.plugins:credentialseq1.15
org.jenkins-ci.plugins:credentialseq1.12
org.jenkins-ci.plugins:credentialseq1.21
org.jenkins-ci.plugins:credentialseq1.3.1
org.jenkins-ci.plugins:credentialseq1.7.5
org.jenkins-ci.plugins:credentialseq1.17
org.jenkins-ci.plugins:credentialseq1.8.3

Name	Operator	Version
org.jenkins-ci.plugins:credentials	eq	1.1
org.jenkins-ci.plugins:credentials	eq	1.26
org.jenkins-ci.plugins:credentials	eq	1.11
org.jenkins-ci.plugins:credentials	eq	1.15
org.jenkins-ci.plugins:credentials	eq	1.12
org.jenkins-ci.plugins:credentials	eq	1.21
org.jenkins-ci.plugins:credentials	eq	1.3.1
org.jenkins-ci.plugins:credentials	eq	1.7.5
org.jenkins-ci.plugins:credentials	eq	1.17
org.jenkins-ci.plugins:credentials	eq	1.8.3