-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from an unauthenticated HTTP endpoint handler in the plugin's DescriptorImpl class. Jenkins plugins typically implement web endpoints via Stapler framework methods prefixed with 'do' (e.g., doGetCredentials). The advisory explicitly states the missing permission check in an endpoint that interacts with credentials, matching the pattern of descriptor classes handling system-level configurations. While exact code isn't available, the combination of CWE-862 (Missing Authorization) and Jenkins plugin architecture patterns strongly indicates a credentials enumeration method in the publisher's descriptor class lacking Jenkins.get().checkPermission() calls.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| io.loader:loaderio-jenkins-plugin | maven | <= 1.0.1 |
A Semantic Attack on Google Gemini - Read the Latest Research