GHSA-32xp-m6vg-gwpj

Source

https://github.com/advisories/GHSA-32xp-m6vg-gwpj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-32xp-m6vg-gwpj/GHSA-32xp-m6vg-gwpj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-32xp-m6vg-gwpj

Aliases

CVE-2020-2233

Published

2022-05-24T17:25:24Z

Modified

2024-02-18T05:22:30.270899Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Missing permission check in Jenkins Pipeline Maven Integration Plugin allows enumerating credentials IDs

Details

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline Maven Integration Plugin 3.8.3 requires the appropriate permissions.

Database specific

{
    "nvd_published_at": "2020-08-12T14:15:00Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-20T21:22:39Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:pipeline-maven

Package

Name: org.jenkins-ci.plugins:pipeline-maven; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/pipeline-maven

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.8.3

Affected versions

0.*

0.1-beta

0.2

0.3

0.4

0.5

0.6

0.7

2.*

2.0-beta-3

2.0-beta-4

2.0-beta-5

2.0-beta-6

2.0-beta-7

2.0

2.0.1

2.0.2

2.0.3

2.1.0-beta-1

2.1.0

2.1.1-beta-1

2.2.0

2.2.1

2.3.0-beta-1

2.3.0

2.3.1-beta-1

2.3.1

2.4.0-beta-1

2.4.0-beta-2

2.4.0

2.5.0-alpha-1

2.5.0

2.5.1

2.5.2

3.*

3.0.0-beta-1

3.0.0-beta-2

3.0.0-beta-3

3.0.0-beta-4

3.0.0-beta-5

3.0.0-beta-6

3.0.0

3.0.1-beta-1

3.0.1-beta-2

3.0.1

3.0.2

3.0.3-beta-1

3.0.3-beta-2

3.0.3

3.0.4

3.0.5

3.0.6-beta-1

3.0.6

3.0.7

3.1.0-beta-1

3.1.0

3.2.0-alpha-1

3.2.0-alpha-2

3.2.0

3.2.1-beta-1

3.2.1

3.3.0

3.3.1-beta-1

3.3.1-beta-2

3.3.1

3.3.2

3.4.0-beta-1

3.4.0

3.4.1

3.4.2

3.4.3

3.5.0-beta-1

3.5.0

3.5.1-beta-1

3.5.1

3.5.2

3.5.3

3.5.4-beta-1

3.5.4

3.5.5

3.5.6

3.5.7-beta-1

3.5.7

3.5.8-beta-1

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12-beta-1

3.5.12-beta-2

3.5.12-beta-3

3.5.12-beta-4

3.5.12

3.5.13

3.5.14

3.5.15-beta-1

3.5.15-beta-2

3.5.15-beta-3

3.5.15-beta-4

3.5.15

3.6.0-beta-1

3.6.0-beta-2

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4-beta-1

3.6.4

3.6.5-beta-1

3.6.5

3.6.6-beta-1

3.6.6-beta-2

3.6.6-beta-3

3.6.6-beta-4

3.6.6

3.6.7

3.6.8-beta-1

3.6.8-beta-2

3.6.8

3.6.9

3.6.10

3.6.11

3.6.12

3.6.13

3.6.14

3.6.15-beta-1

3.7.0-beta-1

3.7.0

3.7.1

3.8.0

3.8.1

3.8.2