A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CPE | Name | Operator | Version |
---|---|---|---|
org.jenkins-ci.plugins:ssh | eq | 2.6 | |
org.jenkins-ci.plugins:ssh | eq | 2.5 | |
org.jenkins-ci.plugins:ssh | eq | 2.4 | |
org.jenkins-ci.plugins:ssh | eq | 2.6.1 |