CVE-2023-46651

Name of the Vulnerable Software and Affected Versions Jenkins Warnings Plugin versions 10.5.0 and earlier

Description The issue is related to information disclosure, allowing remote attackers to gain unauthorized access to protected information. Specifically, it does not set the appropriate context for credentials lookup, enabling attackers with Item/Configure permission to access and capture credentials they are not entitled to. This allows the use of system-scoped credentials otherwise reserved for the global configuration.

Recommendations For Jenkins Warnings Plugin versions 10.5.0 and earlier, update to version 10.5.1 or later, or apply the backported fix to version 10.4.1, to define the appropriate context for credentials lookup and prevent unauthorized access to credentials. As a temporary workaround, consider restricting access to the credentials lookup functionality for users with Item/Configure permission until the update is applied.