[GHSA-gqm2-2gcx-p88w] Incorrect Permission Assignment for Critical Resource in Jenkins Credentials Binding Plugin

[secjoker]

Updates

• Affected products

Comments Based on the vulnerability description and the security notice released by Jenkins, it is more reasonable that the component affected by this vulnerability should be org.jenkins-ci.plugins:credentials-binding. Reference links: [1] https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342 [2] https://security.snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-2359741 Vulnerability details: Missing permission check in Credentials Binding Plugin allows validating secret file credentials IDs SECURITY-2342 / CVE-2022-20616 Severity (CVSS): Low Affected plugin: credentials-binding Description: Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file. Credentials Binding Plugin 1.27.1 performs permission checks when validating secret file credentials IDs.

[advisory-database[bot]]

Hi @secjoker! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!