PT-2019-11833 · Jenkins · Jenkins Crx Content Package Deployer Plugin+1
Oleg Nenashev
·
Published
2019-10-16
·
Updated
2023-10-25
·
CVE-2019-10439
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins CRX Content Package Deployer Plugin versions 1.8.1 and earlier
Jenkins CRX Content Package Deployer Plugin versions prior to 1.9
Description
A missing permission check in the Jenkins CRX Content Package Deployer Plugin in various
doFillCredentialsIdItems methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.Recommendations
For Jenkins CRX Content Package Deployer Plugin versions 1.8.1 and earlier, update to version 1.9 or later to resolve the issue.
For Jenkins CRX Content Package Deployer Plugin versions prior to 1.9, update to version 1.9 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
doFillCredentialsIdItems methods until a patch is available.Fix
Missing Authorization
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Crx Content Package Deployer Plugin