CVE-2023-49652

Name of the Vulnerable Software and Affected Versions Jenkins Google Compute Engine Plugin versions 4.550.vb 327fca 3db 11 and earlier

Description The issue is related to incorrect permission checks in the Jenkins Google Compute Engine Plugin. Attackers with global Item/Configure permission, but lacking Item/Configure permission on any particular job, can enumerate system-scoped credentials IDs of credentials stored in Jenkins. They can also connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method to obtain information about existing projects.

Recommendations For Jenkins Google Compute Engine Plugin versions 4.550.vb 327fca 3db 11 and earlier, update to version 4.3.17.1 or later, which includes the backported fix. For version 4.551.v5a 4dc98f6962 and later, ensure that Overall/Administer permission is required for the affected HTTP endpoints.