Description
Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
Remediation
References
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2791
http://www.openwall.com/lists/oss-security/2022/10/19/3
Related Vulnerabilities
CVE-2022-29244 Vulnerability in npm package npm
CVE-2022-31198 Vulnerability in npm package @openzeppelin/contracts
CVE-2013-2160 Vulnerability in maven package org.apache.cxf:apache-cxf
CVE-2023-37944 Vulnerability in maven package org.datadog.jenkins.plugins:datadog
CVE-2022-24827 Vulnerability in maven package com.yahoo.elide:elide-datastore-aggregation