CVE-2018-1000109

Name of the Vulnerable Software and Affected Versions: Jenkins Google Play Android Publisher Plugin versions 1.6 and earlier

Description: An improper authorization issue exists that allows an attacker to obtain credential IDs. The vulnerability is located in the GooglePlayBuildStepDescriptor.java file. As of version 1.7, the plugin requires the ExtendedRead permission (or Configure permission if ExtendedRead is not enabled) to the job in whose context credentials are being accessed to enumerate credential IDs and validate specified credentials.

Recommendations: For Jenkins Google Play Android Publisher Plugin versions 1.6 and earlier, update to version 1.7 or later to ensure that enumeration of credentials IDs and validation of specified credentials require the necessary permissions.