CVE-2019-16567

Vulnerability

Overview

The Jenkins Team Concert Plugin, versions 1.3.0 and earlier, contains a missing permission check in form-related methods. This flaw allows any user with the Overall/Read permission to enumerate credential IDs of credentials stored in Jenkins, bypassing the intended access controls [1][4].

Attack

Vector

An attacker can exploit this vulnerability by leveraging their existing Overall/Read access on a Jenkins instance. No additional privileges are required, as the plugin's form-related methods do not perform the necessary authorization checks before exposing credential ID information [1]. This makes the attack surface relatively broad, as many Jenkins users are granted Overall/Read access.

Impact

By enumerating credential IDs, an attacker can identify and potentially target specific credentials for further exploitation, such as credential theft or unauthorized use. While the vulnerability does not directly expose secret values of credentials, it discloses IDs that can be used in subsequent attacks [1][4]. This information leakage increases the risk of credential compromise.

Mitigation

The vulnerability is present in Team Concert Plugin 1.3.0 and earlier. At the time of the advisory, no fix was available, and the plugin was listed as having an unresolved security issue [3]. Users should consider removing or disabling the plugin if it is not needed, and monitor for updates from the plugin maintainer. No workaround is provided in the advisory.