Fluid Attacks Database

Description

Missing permission check in Jenkins Ansible Tower Plugin A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.plugins:ansible-tower	>=0 <0.9.2	0.9.2

Aliases

1. CVE-2019-103122. NVD-2019-103123. OSV-2019-103124. GCVE-2019-10312

References

1. https://jenkins.io/security/advisory/2019-04-30/#SECURITY-13552. http://www.openwall.com/lists/oss-security/2019/04/30/53. http://www.securityfocus.com/bid/108159