CVE-2020-2198 – hudson.plugins:project-inheritance

Package

Manager: maven
Name: hudson.plugins:project-inheritance
Vulnerable Version: >=0 <=21.04.03

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00047 pctl0.14135

Details

Missing permission check in Jenkins Project Inheritance Plugin Jenkins Project Inheritance Plugin 21.04.03 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.

Metadata

Created: 2022-05-24T17:19:05Z
Modified: 2022-12-22T13:38:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w53q-r5cw-6vjh/GHSA-w53q-r5cw-6vjh.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-w53q-r5cw-6vjh
Finding: F035
Auto approve: 1