Missing Permission Check in Jenkins Fortify on Demand Plugin
CVE-2020-2202

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Fortify On Demand Plugin
Vendor: CVE Published:; 2 July 2020

Summary

A flaw in the Jenkins Fortify on Demand Plugin versions 6.0.0 and earlier allows users with Overall/Read access to improperly access sensitive credential information. This vulnerability enables unauthorized users to enumerate credential IDs, exposing critical credentials stored in Jenkins. Proper access controls should be implemented to mitigate this risk and protect against potential data breaches.

Affected Version(s)

Jenkins Fortify on Demand Plugin <= 6.0.0

References

https://jenkins.io/security/advisory/2020-07-02/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/07/02/7

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 2, 2020
Vulnerability Reserved
Dec 5, 2019