Closed secjoker closed 2 days ago
Hi @secjoker! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!
Updates
Comments Based on the vulnerability description and the security notice released by Jenkins, it is more reasonable that the component affected by this vulnerability should be org.jenkins-ci.plugins:credentials-binding. Reference links: [1] https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342 [2] https://security.snyk.io/vuln/SNYK-JAVA-ORGJENKINSCIPLUGINS-2359741 Vulnerability details: Missing permission check in Credentials Binding Plugin allows validating secret file credentials IDs SECURITY-2342 / CVE-2022-20616 Severity (CVSS): Low Affected plugin: credentials-binding Description: Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file. Credentials Binding Plugin 1.27.1 performs permission checks when validating secret file credentials IDs.