1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-3265

[JENKINS:SECURITY-3265] Exposure of system-scoped credentials in `warnings-ng`

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

warnings-ng 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

warnings-ng 10.5.1 defines the appropriate context for credentials lookup.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/warnings-ng <= 10.5.0
pkg:github/jenkinsci/warnings-ng-plugin <= 10.5.0
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/warnings-ng = 10.5.1
pkg:github/jenkinsci/warnings-ng-plugin = 10.5.1
ID
JENKINS:SECURITY-3265
Severity
medium
Published
2023-10-25T00:00:00
(11 months ago)
Modified
2023-10-25T00:00:00
(11 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository warnings-ng repository https://github.com/jenkinsci/warnings-ng-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/warnings-ng org.jenkins-ci.plugins warnings-ng <= 10.5.0
Fixed pkg:maven/org.jenkins-ci.plugins/warnings-ng org.jenkins-ci.plugins warnings-ng = 10.5.1
Affected pkg:github/jenkinsci/warnings-ng-plugin jenkinsci warnings-ng-plugin <= 10.5.0
Fixed pkg:github/jenkinsci/warnings-ng-plugin jenkinsci warnings-ng-plugin = 10.5.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date