CVE-2023-24451

Name of the Vulnerable Software and Affected Versions Jenkins Cisco Spark Notifier Plugin versions 1.1.1 and earlier

Description The issue is related to a missing permission check in the Jenkins Cisco Spark Notifier Plugin, which allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. This can lead to unauthorized access to protected information. The vulnerability is associated with inadequate access control when handling HTTP endpoints.

Recommendations For Jenkins Cisco Spark Notifier Plugin versions 1.1.1 and earlier, consider disabling the plugin until a patch is available to prevent attackers from enumerating credentials IDs. Restrict access to the plugin's HTTP endpoints to minimize the risk of exploitation. Avoid using the plugin with Overall/Read permission until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.