CVE-2019-10323

Name of the Vulnerable Software and Affected Versions Jenkins Artifactory Plugin versions 3.2.3 and earlier

Description A missing permission check in the Jenkins Artifactory Plugin allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. The plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use, but it does not correctly check permissions. This issue can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Jenkins Artifactory Plugin versions 3.2.3 and earlier, as a temporary workaround, consider restricting access to the fillCredentialsIdItems methods until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.