-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from missing permission checks in HTTP endpoints used for credential ID enumeration. Jenkins plugins typically handle such endpoints via methods like doFillCredentialIdItems (for populating UI credential lists) and doCheckCredentialId (for form validation). These methods are part of the plugin's descriptor class (OrkaCloudDescriptor) and would be invoked via web requests. The advisory explicitly states that the patched version added permission checks to these endpoints, confirming their role in the vulnerability. The confidence is medium because the exact code isn't provided, but the functions align with Jenkins plugin patterns and the described exploit mechanism.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| io.jenkins.plugins:macstadium-orka | maven | < 1.32 | 1.32 |