[MAVEN:GHSA-RVX4-GG8W-QW24] Jenkins Google Play Android Publisher Plugin allows attacker to obtain credential IDs
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs. As of version 1.7, enumeration of credentials IDs and validation of specified credentials in this plugin requires the permissions to have the ExtendedRead permission (when that permission is enabled; otherwise Configure permission) to the job in whose context credentials are being accessed.
| Package | Affected Version |
|---|---|
 pkg:maven/org.jenkins-ci.plugins/google-play-android-publisher
|
<= 1.6 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.jenkins-ci.plugins/google-play-android-publisher
|
= 1.7 |
- ID
- MAVEN:GHSA-RVX4-GG8W-QW24
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-rvx4-gg8w-qw24
- Published
-
2022-05-13T01:48:31
(2 years ago) - Modified
-
2023-12-20T13:30:47
(9 months ago) - Rights
- Maven Security Team
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.jenkins-ci.plugins/google-play-android-publisher | org.jenkins-ci.plugins |
google-play-android-publisher
|
<= 1.6 | |||
| Fixed | pkg:maven/org.jenkins-ci.plugins/google-play-android-publisher | org.jenkins-ci.plugins |
google-play-android-publisher
|
= 1.7 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |