Jenkins Job Import Plugin 143.v044a2e819b27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
{
"cpe": [
"cpe:2.3:a:jenkins:job_import:*:*:*:*:*:jenkins:*:*",
"cpe:2.3:a:jenkins:job_import:143.v044a_2e819b_27:*:*:*:*:jenkins:*:*"
],
"source": [
"CPE_RANGE",
"CPE_STRING"
],
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "122.v35289550f1e6"
},
{
"introduced": "143.v044a_2e819b_27"
},
{
"last_affected": "143.v044a_2e819b_27"
}
]
}