CVE-2020-2118

CWE-276 — Incorrect Default Permissions CWE-2855 documents5 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 91.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Pipeline Github Notify Step Plugin Jenkins Pipeline Github Notify Step

Timeline

PublishedFeb 12

Latest updateMay 24

Description

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_pipeline_github_notify_step_pluginunspecified — 1.0.4

▶NVDjenkins/pipeline_github_notify_step1.0.4

▶Mavenorg.jenkins-ci.plugins:pipeline-build-step< 1.0.5

🔴Vulnerability Details

OSV

Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin↗2022-05-24

▶

GHSA

Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin↗2022-05-24

▶

CVEList

CVE-2020-2118: A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1↗2020-02-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2020-02-12↗2020-02-12

▶