[com.compuware.jenkins:compuware-topaz-for-total-test] Jenkins Compuware Topaz for Total Test Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-43427
• https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2623
• http://www.openwall.com/lists/oss-security/2022/10/19/3
• https://github.com/advisories/GHSA-x5gv-5rqv-654m