CVE-2023-46652

Name of the Vulnerable Software and Affected Versions Jenkins lambdatest-automation Plugin versions 1.20.9 and earlier

Description A missing permission check in the Jenkins lambdatest-automation Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. This can be used as part of an attack to capture the credentials using another vulnerability. The issue is related to an HTTP endpoint that does not perform a permission check.

Recommendations For Jenkins lambdatest-automation Plugin versions 1.20.9 and earlier, update to version 1.20.10 or later, which requires Overall/Administer permission to enumerate credentials IDs, mitigating the issue. As a temporary workaround, consider restricting access to the plugin's HTTP endpoint to minimize the risk of exploitation.