Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| io.jenkins.plugins:warnings-ng(Maven) | 10.5.0 | 10.5.1 | N/A |
| io.jenkins.plugins:warnings-ng(Maven) | 0 | 10.4.1 | N/A |
CVSS Metrics
