CVE-2020-2118

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline GitHub Notify Step Plugin versions 1.0.4 and earlier

Description A missing permission check in form-related methods of the Jenkins Pipeline GitHub Notify Step Plugin allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. This functionality provides a list of applicable credential IDs to users configuring the plugin, but it does not correctly check permissions. As a result, any user with Overall/Read permission can obtain a list of valid credentials IDs, which can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Jenkins Pipeline GitHub Notify Step Plugin versions 1.0.4 and earlier, update to version 1.0.5 or later, which requires the permission to configure a project for an enumeration of credentials IDs. As a temporary workaround, consider restricting access to the plugin's configuration to minimize the risk of exploitation.