Description
An incorrect permission check in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect permission check in the Jenkins Gitee Plugin allows a user with global Item/Configure permission but lacking that permission on a particular job to enumerate the IDs of credentials stored in Jenkins. Enumerating credential IDs can help attackers identify targets for credential misuse, representing an improper access control flaw categorized as CWE‑862.

Affected Systems

The vulnerability affects Jenkins Gitee Plugin versions up to and including 1288.v18b_deb_c9069b. Any instance of Jenkins using these plugin versions is impacted, regardless of the Jenkins core version. Upgrade to a later plugin release that resolves the permission check is required.

Risk and Exploitability

The vulnerability is not listed in the KEV catalog and no EPSS data is available. Its CVSS score of 4.3 denotes low‑medium severity. The likely attack vector is an internal user or a compromised account with global Item/Configure rights. Because the flaw permits credential ID enumeration, it enables attackers to identify targets for credential misuse, indicating a confidentiality impact. The issue is an improper access control weakness, classified as CWE‑862.

Generated by OpenCVE AI on June 24, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins Gitee Plugin to the latest released version that corrects the permission check.
  • Restrict or remove global Item/Configure permission from users who do not need it; enforce the principle of least privilege.
  • If the plugin is not essential, disable or uninstall it to eliminate the attack surface.

Generated by OpenCVE AI on June 24, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Gitee Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Gitee Plugin

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Credential ID Enumeration in Jenkins Gitee Plugin via Faulty Permission Check

Wed, 24 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Inappropriate Permission Check Allows Credential ID Enumeration in Jenkins Gitee Plugin

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Inappropriate Permission Check Allows Credential ID Enumeration in Jenkins Gitee Plugin
Weaknesses CWE-284

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description An incorrect permission check in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins.
References

Subscriptions

Jenkins Project Jenkins Gitee Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:47:35.688Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57293

cve-icon Vulnrichment

Updated: 2026-06-24T14:47:24.491Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:06Z

Weaknesses