CVE-2018-1000109 – org.jenkins-ci.plugins:google-play-android-publisher

Package

Manager: maven
Name: org.jenkins-ci.plugins:google-play-android-publisher
Vulnerable Version: >=0 <1.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00031 pctl0.07238

Details

Jenkins Google Play Android Publisher Plugin allows attacker to obtain credential IDs An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in `GooglePlayBuildStepDescriptor.java` that allow an attacker to obtain credential IDs. As of version 1.7, enumeration of credentials IDs and validation of specified credentials in this plugin requires the permissions to have the ExtendedRead permission (when that permission is enabled; otherwise Configure permission) to the job in whose context credentials are being accessed.

Metadata

Created: 2022-05-13T01:48:31Z
Modified: 2022-12-07T18:18:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rvx4-gg8w-qw24/GHSA-rvx4-gg8w-qw24.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-rvx4-gg8w-qw24
Finding: F006
Auto approve: 1