GHSA-rvx4-gg8w-qw24

Source

https://github.com/advisories/GHSA-rvx4-gg8w-qw24

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rvx4-gg8w-qw24/GHSA-rvx4-gg8w-qw24.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rvx4-gg8w-qw24

Aliases

CVE-2018-1000109

Published

2022-05-13T01:48:31Z

Modified

2024-02-16T07:59:10.285035Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Jenkins Google Play Android Publisher Plugin allows attacker to obtain credential IDs

Details

An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs. As of version 1.7, enumeration of credentials IDs and validation of specified credentials in this plugin requires the permissions to have the ExtendedRead permission (when that permission is enabled; otherwise Configure permission) to the job in whose context credentials are being accessed.

Database specific

{
    "nvd_published_at": "2018-03-13T13:29:00Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-07T18:18:52Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:google-play-android-publisher

Package

Name: org.jenkins-ci.plugins:google-play-android-publisher; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/google-play-android-publisher

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7

Affected versions

1.*

1.0

1.1

1.2

1.3

1.3.1

1.4

1.4.1

1.5

1.6

Database specific

{
    "last_known_affected_version_range": "<= 1.6"
}