Improper Authentication

Affecting org.jenkins-ci.plugins:tfs artifact, versions [0,]

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.jenkins-ci.plugins:tfs is a plugin that triggers a release in Azure DevOps, through a post-build step in Jenkins.

Affected versions of this package are vulnerable to Improper Authentication. It does not perform a permission check in an HTTP endpoint.This allows attackers with overall/read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

Remediation

There is no fixed version for org.jenkins-ci.plugins:tfs.

References

CVSS Score

4.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Credit
Daniel Beck
CVE
CVE-2021-21636
CWE
CWE-287
Snyk ID
SNYK-JAVA-ORGJENKINSCIPLUGINS-1089874
Disclosed
31 Mar, 2021
Published
31 Mar, 2021