CVE-2023-24451

Description

The Jenkins Cisco Spark Notifier Plugin up to and including version 1.1.1 lacks a permission check when exposing credentials IDs. This flaw arises because the plugin does not verify that the user has the necessary permissions (such as Credentials/View) before allowing access to the list of stored credential identifiers [1][2].

Exploitation

An attacker who possesses only the Overall/Read permission—a low-privilege access level that is often granted broadly—can exploit this missing check to enumerate credential IDs. The attacker does not need to authenticate as a privileged user or have direct access to the credentials themselves, only the ability to read the Jenkins configuration [1].

Impact

By enumerating credential IDs, an attacker can identify which credentials are stored in Jenkins and potentially use that information as a stepping stone for further attacks, such as targeting specific credential stores or attempting to exploit other vulnerabilities that require knowledge of credential IDs. The vulnerability does not directly expose the credential secrets themselves, but it facilitates reconnaissance [1][2].

Mitigation

The Jenkins project has addressed this vulnerability in the security advisory published on 2023-01-24. Users are advised to update to a version of the Cisco Spark Notifier Plugin that includes the missing permission check. No workaround is provided aside from upgrading. As of the advisory date, a fixed version has been released [1].