GHSA-gp8p-49gr-jv8j

Source

https://github.com/advisories/GHSA-gp8p-49gr-jv8j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-gp8p-49gr-jv8j/GHSA-gp8p-49gr-jv8j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gp8p-49gr-jv8j

Aliases

CVE-2025-24403

Published

2025-01-22T18:31:56Z

Modified

2025-01-23T23:29:39.482896Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Missing permission checks in Jenkins Azure Service Fabric Plugin

Details

The Jenkins Azure Service Fabric Plugin 1.6 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-22T19:32:51Z",
    "nvd_published_at": "2025-01-22T17:15:14Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:service-fabric

Package

Name: org.jenkins-ci.plugins:service-fabric; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/service-fabric

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.6

Affected versions

1.*

1.0

1.1

1.3

1.4

1.5

1.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-gp8p-49gr-jv8j/GHSA-gp8p-49gr-jv8j.json"