CVE-2020-2233

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline Maven Integration Plugin versions 3.8.2 and earlier

Description A missing permission check in the Jenkins Pipeline Maven Integration Plugin allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. This issue affects the plugin's HTTP endpoint, enabling attackers to obtain credentials IDs, which can be used in conjunction with another vulnerability to capture the credentials.

Recommendations For Jenkins Pipeline Maven Integration Plugin versions 3.8.2 and earlier, update to version 3.8.3 or later, which requires appropriate permissions for enumerating credentials IDs.

Fix

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-285

Related Identifiers

CVE-2020-2233

GHSA-32XP-M6VG-GWPJ

Affected Products

Jenkins

Jenkins Pipeline Maven Integration Plugin

CVE-2020-2233

Weakness Enumeration

Related Identifiers

Affected Products

References · 7