Impact
An incorrect permission check in the Jenkins Gitee Plugin allows a user with global Item/Configure permission but lacking that permission on a particular job to enumerate the IDs of credentials stored in Jenkins. Enumerating credential IDs can help attackers identify targets for credential misuse, representing an improper access control flaw categorized as CWE‑862.
Affected Systems
The vulnerability affects Jenkins Gitee Plugin versions up to and including 1288.v18b_deb_c9069b. Any instance of Jenkins using these plugin versions is impacted, regardless of the Jenkins core version. Upgrade to a later plugin release that resolves the permission check is required.
Risk and Exploitability
The vulnerability is not listed in the KEV catalog and no EPSS data is available. Its CVSS score of 4.3 denotes low‑medium severity. The likely attack vector is an internal user or a compromised account with global Item/Configure rights. Because the flaw permits credential ID enumeration, it enables attackers to identify targets for credential misuse, indicating a confidentiality impact. The issue is an improper access control weakness, classified as CWE‑862.
OpenCVE Enrichment