Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 require...

jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.

A flaw was found in the config-file-provider Jenkins plugin. The plugin does not perform permission checks in several HTTP endpoints, as a consequence an attacker with Overall/Read permission is allowed to enumerate configuration file IDs...

Design/Logic Flaw

Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints, attackers with Overall/Read permission to enumerate configuration file IDs...

PT-2021-14688 · Jenkins · Jenkins Config File Provider Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Config File Provider Plugin versions 3.7.0 and earlier Description: The issue concerns a lack of permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate configuration file IDs. This ca...