Jenkins CRX Content Package Deployer Plugin subject to Missing Authorization

2022-05-2416:58:48

Google

osv.dev

0.001 Low

EPSS

Percentile

28.5%

JSON

A missing permission check in Jenkins CRX Content Package Deployer Plugin prior to version 1.9 allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. This issue is patched in 1.9

CPENameOperatorVersion
org.jenkins-ci.plugins:crx-content-package-deployereq1.6
org.jenkins-ci.plugins:crx-content-package-deployereq1.1
org.jenkins-ci.plugins:crx-content-package-deployereq1.5.3
org.jenkins-ci.plugins:crx-content-package-deployereq1.0
org.jenkins-ci.plugins:crx-content-package-deployereq1.5
org.jenkins-ci.plugins:crx-content-package-deployereq1.8.1
org.jenkins-ci.plugins:crx-content-package-deployereq1.7.2
org.jenkins-ci.plugins:crx-content-package-deployereq1.3.1
org.jenkins-ci.plugins:crx-content-package-deployereq1.5.1
org.jenkins-ci.plugins:crx-content-package-deployereq1.3

Name	Operator	Version
org.jenkins-ci.plugins:crx-content-package-deployer	eq	1.6
org.jenkins-ci.plugins:crx-content-package-deployer	eq	1.1
org.jenkins-ci.plugins:crx-content-package-deployer	eq	1.5.3
org.jenkins-ci.plugins:crx-content-package-deployer	eq	1.0
org.jenkins-ci.plugins:crx-content-package-deployer	eq	1.5
org.jenkins-ci.plugins:crx-content-package-deployer	eq	1.8.1
org.jenkins-ci.plugins:crx-content-package-deployer	eq	1.7.2
org.jenkins-ci.plugins:crx-content-package-deployer	eq	1.3.1
org.jenkins-ci.plugins:crx-content-package-deployer	eq	1.5.1
org.jenkins-ci.plugins:crx-content-package-deployer	eq	1.3