Insecure Permissions

Affecting org.jenkins-ci.plugins:liquibase-runner artifact, versions [0,]

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Insecure Permissions. Liquibase Runner Plugin does not perform a permission check in an HTTP endpoint.This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

Remediation

There is no fixed version for org.jenkins-ci.plugins:liquibase-runner.

References

CVSS Score

7.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:O/RC:R
Credit
Daniel Beck, CloudBees, Inc.
CVE
CVE-2020-2285
CWE
CWE-275
Snyk ID
SNYK-JAVA-ORGJENKINSCIPLUGINS-1012540
Disclosed
24 Sep, 2020
Published
24 Sep, 2020