Description
A missing permission check in Jenkins Liquibase Runner Plugin 1.4.7 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
Remediation
References
https://www.jenkins.io/security/advisory/2020-09-23/#SECURITY-2030
http://www.openwall.com/lists/oss-security/2020/09/23/1
Related Vulnerabilities
CVE-2018-11788 Vulnerability in maven package org.apache.karaf:org.apache.karaf.util
CVE-2010-3718 Vulnerability in maven package tomcat:catalina
CVE-2021-25929 Vulnerability in maven package org.opennms:opennms-webapp
CVE-2023-33949 Vulnerability in maven package com.liferay.portal:release.portal.bom
CVE-2019-1003005 Vulnerability in maven package org.jenkins-ci.plugins:script-security