Jenkins Credentials Binding Plugin Vulnerability: Unauthorized Validation of Secret File Credentials

CVE-2022-20616 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.

Learn more about our Cis Benchmark Audit For Bind.