This can be leveraged for credential stuffing and other attacks. This issue was fixed in Plugin version 1.0.2. Upgrading your Jenkins instances to this version or later will prevent this issue from occurring. If you are using earlier versions, you must upgrade as soon as possible. End users can check the latest version at https://jenkins.loader.io/
CVE-2018-10514 A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with View/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2018-10515 A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with View/Read permission to list projects stored in Jenkins.
CVE-2018-10516 A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with View/Read permission to list jobs stored in Jenkins.
CVE-2018-10517 A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with View/Read permission to create new projects stored in Jenkins.
CVE-2018-10518 A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with View/Read permission to list jobs stored in Jenkins.
CVE-2018-10519 A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows
Dependency Management
Dependency management is a critical piece of software architecture that enables developers to take advantage of the composition paradigm and ensure their code works in a well-defined context. This is accomplished by defining what changes a dependency requires, such as upgrades or new versions.
Timeline
Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/18/2022 04:50:00 UTC