CVE-2020-2285

CWE-862 — Missing Authorization5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 91.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Liquibase Runner Plugin Jenkins Liquibase Runner

Timeline

PublishedSep 23

Latest updateMay 24

Description

A missing permission check in Jenkins Liquibase Runner Plugin 1.4.7 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:liquibase-runner< 1.4.8

▶CVEListV5jenkins_project/jenkins_liquibase_runner_pluginunspecified — 1.4.7

▶NVDjenkins/liquibase_runner1.4.7

🔴Vulnerability Details

GHSA

Missing permission check in Jenkins Liquibase Runner Plugin allows enumerating credentials IDs↗2022-05-24

▶

OSV

Missing permission check in Jenkins Liquibase Runner Plugin allows enumerating credentials IDs↗2022-05-24

▶

CVEList

CVE-2020-2285: A missing permission check in Jenkins Liquibase Runner Plugin 1↗2020-09-23

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2020-09-23↗2020-09-23

▶