Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Config_file_provider | Jenkins | * | 3.7.0 |