Jenkins Report Portal Plugin 0.5 and earlier does not mask ReportPortal access tokens displayed on the configuration form, increasing the p…
Jenkins Report Portal Plugin 0.5 and earlier does not mask ReportPortal access tokens displayed on the configuration form, increasing the potential for attackers to observe and capture them.
The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.
https://cwe.mitre.org/data/definitions/1270.html →Open in CWE collection →https://capec.mitre.org/data/definitions/121.html →Open in CAPEC collection →
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
https://capec.mitre.org/data/definitions/633.html →Open in CAPEC collection →https://capec.mitre.org/data/definitions/681.html →Open in CAPEC collection →