Missing Authorization
A missing permission check in Jenkins Team Foundation Server Plugin allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.
Advisories for Maven/Org.jenkins-Ci.plugins/Tfs package
2021
Missing Authorization
A missing permission check in Jenkins Team Foundation Server Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Cross-Site Request Forgery (CSRF)
A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
2020
Missing Encryption of Sensitive Data
Jenkins Team Foundation Server Plugin stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.