CVE-2022-20616

CWE-862 — Missing Authorization CWE-732 — Incorrect Permission Assignment6 documents6 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 91.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Credentials Binding Plugin Jenkins Credentials Binding

Timeline

PublishedJan 12

Latest updateJan 13

Description

Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:credentials-binding1.25 — 1.27.1+1

▶CVEListV5jenkins_project/jenkins_credentials_binding_pluginunspecified — 1.27

▶NVDjenkins/credentials_binding1.27

🔴Vulnerability Details

GHSA

Incorrect Permission Assignment for Critical Resource in Jenkins Credentials Binding Plugin↗2022-01-13

▶

OSV

Incorrect Permission Assignment for Critical Resource in Jenkins Credentials Binding Plugin↗2022-01-13

▶

CVEList

CVE-2022-20616: Jenkins Credentials Binding Plugin 1↗2022-01-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-01-12↗2022-01-12

▶

Red Hat

jenkins-2-plugins/credentials-binding: does not perform a permission check in a method implementing form validation↗2022-01-12

▶