Description
An incorrect permission check in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect permission check in the Jenkins Gitee Plugin allows a user with global Item/Configure permission, but lacking Item/Configure permission on a particular job, to enumerate the IDs of credentials stored in Jenkins. Enumerating credential IDs increases the risk of credential reuse and reflects an improper access control flaw, categorized as CWE‑284 and CWE‑862.

Affected Systems

The vulnerability affects Jenkins Gitee Plugin versions up to and including 1288.v18b_deb_c9069b. Any instance of Jenkins using these plugin versions is impacted, regardless of the Jenkins core version. Upgrade to a later plugin release that resolves the permission check is required.

Risk and Exploitability

No EPSS data is available and the vulnerability is not listed in the KEV catalog. The CVSS score is 4.3, indicating a low‑medium severity. The likely attack vector is internal or via a compromised account that has global Item/Configure rights. Because the flaw permits credential ID enumeration, it enables attackers to identify targets for credential misuse, implying a confidentiality impact.

Generated by OpenCVE AI on June 24, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins Gitee Plugin to the latest released version that corrects the permission check.
  • Restrict or remove global Item/Configure permission from users who do not need it; enforce the principle of least privilege.
  • If the plugin is not essential, disable or uninstall it to eliminate the attack surface.

Generated by OpenCVE AI on June 24, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Inappropriate Permission Check Allows Credential ID Enumeration in Jenkins Gitee Plugin

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Inappropriate Permission Check Allows Credential ID Enumeration in Jenkins Gitee Plugin
Weaknesses CWE-284

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description An incorrect permission check in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:47:35.688Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57293

cve-icon Vulnrichment

Updated: 2026-06-24T14:47:24.491Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:00:17Z

Weaknesses