PT-2022-14825 · Jenkins · Jenkins Credentials Binding Plugin+1
Published
2022-01-12
·
Updated
2023-11-22
·
CVE-2022-20616
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Credentials Binding Plugin versions 1.27 and earlier
Jenkins Credentials Binding Plugin versions prior to 1.27.1
Jenkins Credentials Binding Plugin versions prior to 1.24.1
Description
The issue allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file, due to a lack of permission check in a method implementing form validation.
Recommendations
For Jenkins Credentials Binding Plugin versions 1.27 and earlier, update to version 1.27.1 or later.
For Jenkins Credentials Binding Plugin versions prior to 1.24.1, update to version 1.24.1 or later.
As a temporary workaround, consider restricting access to the form validation method until a patch is available.
Exploit
Fix
Missing Authorization
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Credentials Binding Plugin