CVE-2020-2285

Name of the Vulnerable Software and Affected Versions Jenkins Liquibase Runner Plugin versions 1.4.7 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. This can be done through an HTTP endpoint, and the enumerated credentials IDs can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Jenkins Liquibase Runner Plugin versions 1.4.7 and earlier, update to version 1.4.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's HTTP endpoint to minimize the risk of exploitation. Additionally, ensure that only authorized users have Overall/Read permission in Jenkins.