The vulnerability stems from missing permission checks in form validation and credential listing functions. The commit diff shows these functions originally lacked Jenkins.ADMINISTER or Item.CONFIGURE checks, allowing users with Overall/Read access to: 1) Enumerate credentials via doFillItems methods in FodGlobalDescriptor 2) Test connections with arbitrary credentials via doTest methods. The patch adds explicit permission checks (Jenkins.ADMINISTER for global config, Item.CONFIGURE for job-specific actions), confirming these were the vulnerable points.
Java
Miggo AI
