CVE-2023-30518

The Jenkins Thycotic Secret Server Plugin, up to and including version 1.0.2, contains a missing permission check in its implementation for managing Jenkins credentials. The plugin fails to properly verify that users have the necessary permissions to view credential IDs, instead relying on the standard Overall/Read permission for certain operations. This oversight allows an attacker with only Overall/Read access to enumerate the IDs of credentials stored in Jenkins, which are normally restricted to users with more privileged roles [1][3].

Exploitation requires the attacker to have Overall/Read permission on the Jenkins instance, a relatively low-privilege access level. No additional authentication or network position is needed beyond this. The attacker can leverage this missing check to programmatically or manually list credential IDs through plugin-specific endpoints or UI elements that should have been protected [2].

The impact of successfully enumerating credential IDs is that an attacker gains knowledge of which credential identifiers exist in the Jenkins environment. While this does not directly expose the credential values (such as passwords or tokens), it can be a stepping stone for further attacks, as the attacker can then target specific credentials for extraction or misuse if other vulnerabilities exist [1][3].

The vulnerability has been addressed in Thycotic Secret Server Plugin version 1.1.0 and later, which implements proper permission checks. Users are strongly advised to update to the latest version immediately. Jenkins security advisories have classified this as a medium-severity issue due to the prerequisite of Overall/Read access [1].