Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ydng0LWdnOHctcXcyNM4AASj4
Jenkins Google Play Android Publisher Plugin allows attacker to obtain credential IDs
An improper authorization vulnerability exists in Jenkins Google Play Android Publisher Plugin version 1.6 and earlier in GooglePlayBuildStepDescriptor.java that allow an attacker to obtain credential IDs. As of version 1.7, enumeration of credentials IDs and validation of specified credentials in this plugin requires the permissions to have the ExtendedRead permission (when that permission is enabled; otherwise Configure permission) to the job in whose context credentials are being accessed.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ydng0LWdnOHctcXcyNM4AASj4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-rvx4-gg8w-qw24, CVE-2018-1000109
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000109
- https://jenkins.io/security/advisory/2018-02-26/#SECURITY-715
- https://github.com/jenkinsci/google-play-android-publisher-plugin/commit/f81b058289caf3332ae40d599a36a3665b1fa13c
- https://github.com/advisories/GHSA-rvx4-gg8w-qw24
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:google-play-android-publisher
Affected Version Ranges: <= 1.6Fixed in: 1.7