VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 23, 2020· Updated Aug 4, 2024

CVE-2020-2285

CVE-2020-2285

Description

Jenkins Liquibase Runner Plugin 1.4.7 and earlier lacks a permission check, allowing attackers with Overall/Read to enumerate credential IDs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Liquibase Runner Plugin 1.4.7 and earlier lacks a permission check, allowing attackers with Overall/Read to enumerate credential IDs.

Vulnerability

Overview

CVE-2020-2285 in the Jenkins Liquibase Runner Plugin (versions 1.4.7 and earlier) is a missing permission check vulnerability. The plugin's doFillCredentialsIdItems method did not verify that the user had the necessary permissions (such as Item.EXTENDED_READ or CredentialsProvider.USE_ITEM) before listing available credentials. This allowed any user with the Overall/Read permission to enumerate credentials IDs stored in Jenkins [1][2].

Exploitation

An attacker needs only the Overall/Read permission, which is typically granted to anonymous or low-privileged users in many Jenkins configurations. By exploiting the missing check, the attacker could call the credential ID enumeration endpoint without proper authorization. The fix (in version 1.4.8) added a permission check using Item.EXTENDED_READ or CredentialsProvider.USE_ITEM before returning the list of credential IDs [4].

Impact

The impact is limited to information disclosure of credential IDs. While the attacker does not obtain the actual credential secrets, knowing the IDs can aid in further attacks, such as using those IDs in other plugin configurations or scripts if additional vulnerabilities exist. The CVSS score for this issue is not provided in the advisory, but it is considered a medium-severity information disclosure [1].

Mitigation

The vulnerability is fixed in Liquibase Runner Plugin version 1.4.8 [1][2]. Users should upgrade to this version or later. No workaround is available; updating the plugin is the recommended action. The plugin is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Jenkins Security Advisory 2020-09-23
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. Fixed credentials management · jenkinsci/liquibase-runner-plugin@d160747

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:liquibase-runnerMaven
< 1.4.81.4.8

Affected products

2

Patches

1
d1607478c959

Fixed credentials management

https://github.com/jenkinsci/liquibase-runner-pluginNathan VoxlandSep 16, 2020via ghsa
commit
2 files changed · +22 7
  • src/main/java/org/jenkinsci/plugins/liquibase/builder/AbstractLiquibaseDescriptor.java+21 6 modified
    @@ -4,15 +4,15 @@
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
 import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials;
+import hudson.model.Item;
 import hudson.model.Project;
 import hudson.tasks.BuildStepDescriptor;
 import hudson.tasks.Builder;
 import hudson.util.ListBoxModel;
 import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.liquibase.install.LiquibaseInstallation;
 import org.kohsuke.stapler.AncestorInPath;
-
-import java.util.Arrays;
+import org.kohsuke.stapler.QueryParameter;
 
 import static com.cloudbees.plugins.credentials.CredentialsMatchers.anyOf;
 import static com.cloudbees.plugins.credentials.CredentialsMatchers.instanceOf;
@@ -29,12 +29,27 @@ public AbstractLiquibaseDescriptor() {
         load();
     }
 
-    public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Project project) {
-        return new StandardListBoxModel()
-                .withEmptySelection()
+    public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item,
+                                                 @QueryParameter String credentialsId,
+                                                 @AncestorInPath Project project) {
+        StandardListBoxModel result = new StandardListBoxModel();
+
+        if (item == null) {
+            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+                return result.includeCurrentValue(credentialsId);
+            }
+        } else {
+            if (!item.hasPermission(Item.EXTENDED_READ)
+                    && !item.hasPermission(CredentialsProvider.USE_ITEM)) {
+                return result.includeCurrentValue(credentialsId);
+            }
+        }
+        return result
+                .includeEmptyValue()
                 .withMatching(anyOf(
                         instanceOf(UsernamePasswordCredentials.class)),
-                        CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class, project));
+                        CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class, project))
+                .includeCurrentValue(credentialsId);
     }
 
     public LiquibaseInstallation[] getInstallations() {
  • src/main/resources/org/jenkinsci/plugins/liquibase/builder/AbstractLiquibaseBuilder/liquibase-common-connection-config.jelly+1 1 modified
    @@ -10,7 +10,7 @@
         </f:entry>
 
         <f:entry field="credentialsId" title="Credentials">
-            <c:select/>
+            <c:select expressionAllowed="true"/>
         </f:entry>
     </f:section>
 </j:jelly>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1