Bug 2044500 (CVE-2022-20616) - CVE-2022-20616 jenkins-2-plugins/credentials-binding: does not perform a permission check in a method implementing form validation
Summary: CVE-2022-20616 jenkins-2-plugins/credentials-binding: does not perform a perm...
Keywords:
Status: NEW
Alias: CVE-2022-20616
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2044933 2047839
Blocks: 2044461
TreeView+ depends on / blocked
 
Reported: 2022-01-24 17:26 UTC by Michael Kaplan
Modified: 2024-05-02 18:49 UTC (History)
10 users (show)

Fixed In Version: credentials binding plugin 1.27.1
Doc Type: If docs needed, set a value
Doc Text:
A missing permissions validation vulnerability was found in the Jenkins Credentials Binding plugin. The form validation method does not perform a permission check which allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Michael Kaplan 2022-01-24 17:26:47 UTC 
Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.

Reference:

https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342
Comment 2 Adam Kaplan 2022-01-26 23:06:29 UTC 
credentials-binding is included as a direct dependency: https://github.com/openshift/jenkins/blob/master/2/contrib/openshift/base-plugins.txt#L6
Note You need to log in before you can comment on or make changes to this bug.