CVE-2020-2202

Name of the Vulnerable Software and Affected Versions Jenkins Fortify on Demand Plugin versions 6.0.0 and earlier

Description A missing permission check in form-related methods of the Jenkins Fortify on Demand Plugin allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs, which can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Jenkins Fortify on Demand Plugin versions 6.0.0 and earlier, consider updating to version 6.0.1 or later, where an enumeration of credentials IDs now requires the appropriate permissions. As a temporary workaround, consider restricting access to the plugin's configuration to minimize the risk of exploitation.