In some cases, this can lead to attackers being able to view and change Jenkins usernames and passwords. This issue does not affect systems where Jenkins is installed on a system that does not have permissions for Overall/Read. Users are advised to consider changing the Jenkins usernames and passwords on the Jenkins system and to monitor any system where Jenkins is installed for any suspicious activity. Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. In some cases, this can lead to attackers being able to view and change Jenkins usernames and passwords. This issue does not affect systems where Jenkins is installed on a system that does not have permissions for Overall/Read. Users are advised to consider changing the Jenkins usernames and passwords on the Jenkins system and to monitor any system where Jenkins is installed for any suspicious activity.
Credit where credit is due
This issue was discovered by a member of the Jenkins security team and has been confirmed to be valid by the Jenkins core development team.
Information Gathering
This issue affects systems where Jenkins is installed on a system that does not have permissions for Overall/Read.
Timeline
Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/22/2022 02:11:00 UTC