Jenkins Job Import Plugin vulnerable to exposure of sensitive information
Moderate severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Oct 25, 2023
Package
Affected versions
<= 2.1
Patched versions
3.0
Description
Published by the National Vulnerability Database
Feb 6, 2019
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Oct 25, 2023
Last updated
Oct 25, 2023
Jenkins Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Job Import Plugin 3.0 will only access Jenkins instances using credentials defined in the global configuration.
References