Skip to content

Missing permission checks in Jenkins Azure Service Fabric Plugin

Moderate severity GitHub Reviewed Published Jan 22, 2025 to the GitHub Advisory Database • Updated Jan 22, 2025

Package

maven org.jenkins-ci.plugins:service-fabric (Maven)

Affected versions

<= 1.6

Patched versions

None

Description

The Jenkins Azure Service Fabric Plugin 1.6 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

References

Published by the National Vulnerability Database Jan 22, 2025
Published to the GitHub Advisory Database Jan 22, 2025
Reviewed Jan 22, 2025
Last updated Jan 22, 2025

Severity

Moderate

Weaknesses

No CWEs

CVE ID

CVE-2025-24403

GHSA ID

GHSA-gp8p-49gr-jv8j

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.