Description
A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/02/12/3
https://jenkins.io/security/advisory/2020-02-12/#SECURITY-812%20%282%29
Related Vulnerabilities
CVE-2021-25913 Vulnerability in npm package set-or-get
CVE-2019-17572 Vulnerability in maven package org.apache.rocketmq:rocketmq-broker
CVE-2022-43410 Vulnerability in maven package org.jenkins-ci.plugins:mercurial
CVE-2023-46589 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2023-26486 Vulnerability in maven package org.webjars.npm:vega-functions