Jenkins Team Concert Plugin missing permission check

2022-05-2417:03:48

Google

osv.dev

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.3%

JSON

A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

CPENameOperatorVersion
org.jenkins-ci.plugins:teamconcerteq1.2.0.1
org.jenkins-ci.plugins:teamconcerteq1.0.11
org.jenkins-ci.plugins:teamconcerteq1.1.9
org.jenkins-ci.plugins:teamconcerteq1.1.9.8
org.jenkins-ci.plugins:teamconcerteq1.1.9.2
org.jenkins-ci.plugins:teamconcerteq1.1.9.5
org.jenkins-ci.plugins:teamconcerteq1.1.9.6.1
org.jenkins-ci.plugins:teamconcerteq1.1.9.3
org.jenkins-ci.plugins:teamconcerteq1.2.0.4
org.jenkins-ci.plugins:teamconcerteq1.1.9.4

Name	Operator	Version
org.jenkins-ci.plugins:teamconcert	eq	1.2.0.1
org.jenkins-ci.plugins:teamconcert	eq	1.0.11
org.jenkins-ci.plugins:teamconcert	eq	1.1.9
org.jenkins-ci.plugins:teamconcert	eq	1.1.9.8
org.jenkins-ci.plugins:teamconcert	eq	1.1.9.2
org.jenkins-ci.plugins:teamconcert	eq	1.1.9.5
org.jenkins-ci.plugins:teamconcert	eq	1.1.9.6.1
org.jenkins-ci.plugins:teamconcert	eq	1.1.9.3
org.jenkins-ci.plugins:teamconcert	eq	1.2.0.4
org.jenkins-ci.plugins:teamconcert	eq	1.1.9.4