Missing Permission Check in Jenkins Team Concert Plugin Allows Credential Enumeration
CVE-2019-16567

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Team Concert Plugin
Vendor: CVE Published:; 17 December 2019

Summary

The Jenkins Team Concert Plugin suffers from a security flaw due to a missing permission check in its form-related methods. This vulnerability permits users with Overall/Read access to enumerate the IDs of credentials stored within Jenkins, potentially exposing sensitive information to unauthorized users. It is crucial for administrators to implement the necessary updates or mitigations to safeguard sensitive data against such exposure.

Affected Version(s)

Jenkins Team Concert Plugin <= 1.3.0

References

https://jenkins.io/security/advisory/2019-12-17/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2019/12/17/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 17, 2019
Vulnerability Reserved
Sep 20, 2019