A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as.
{
"cpe": [
"cpe:2.3:a:jenkins:pluggable_authentication_module:1.0:*:*:*:*:jenkins:*:*",
"cpe:2.3:a:jenkins:pluggable_authentication_module:1.1:*:*:*:*:jenkins:*:*",
"cpe:2.3:a:jenkins:pluggable_authentication_module:1.2:*:*:*:*:jenkins:*:*",
"cpe:2.3:a:jenkins:pluggable_authentication_module:1.3:*:*:*:*:jenkins:*:*",
"cpe:2.3:a:jenkins:pluggable_authentication_module:1.4:*:*:*:*:jenkins:*:*",
"cpe:2.3:a:jenkins:pluggable_authentication_module:1.5:*:*:*:*:jenkins:*:*"
],
"extracted_events": [
{
"introduced": "1.0"
},
{
"last_affected": "1.0"
},
{
"introduced": "1.1"
},
{
"last_affected": "1.1"
},
{
"introduced": "1.2"
},
{
"last_affected": "1.2"
},
{
"introduced": "1.3"
},
{
"last_affected": "1.3"
},
{
"introduced": "1.4"
},
{
"last_affected": "1.4"
},
{
"introduced": "1.5"
},
{
"last_affected": "1.5"
}
],
"source": "CPE_STRING"
}