CVE-2020-2310

Name of the Vulnerable Software and Affected Versions Jenkins Ansible Plugin versions 1.0 and earlier

Description The issue is related to missing permission checks in the Jenkins Ansible Plugin, which allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. This can be used as part of an attack to capture the credentials using another vulnerability. The affected plugin does not perform permission checks in methods implementing form validation.

Recommendations For Jenkins Ansible Plugin versions 1.0 and earlier, consider updating to version 1.1 or later, which requires appropriate permissions for the enumeration of credentials IDs. As a temporary workaround, consider restricting access to the Overall/Read permission to minimize the risk of exploitation. Restrict access to the credentials stored in Jenkins to prevent potential capture using another vulnerability.