PT-2018-9288 · Jenkins · Jenkins Google Play Android Publisher Plugin+1
Christopher Orr
·
Published
2018-03-13
·
Updated
2022-05-13
·
CVE-2018-1000109
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Jenkins Google Play Android Publisher Plugin versions 1.6 and earlier
Description:
An improper authorization issue exists that allows an attacker to obtain credential IDs. The vulnerability is located in the
GooglePlayBuildStepDescriptor.java file. As of version 1.7, the plugin requires the ExtendedRead permission (or Configure permission if ExtendedRead is not enabled) to the job in whose context credentials are being accessed to enumerate credential IDs and validate specified credentials.Recommendations:
For Jenkins Google Play Android Publisher Plugin versions 1.6 and earlier, update to version 1.7 or later to ensure that enumeration of credentials IDs and validation of specified credentials require the necessary permissions.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Google Play Android Publisher Plugin