[org.jenkins-ci.plugins:config-file-provider] Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs

Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate configuration file IDs.

An enumeration of configuration file IDs in Config File Provider Plugin 3.7.1 requires the appropriate permissions.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-21645
• https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2203
• http://www.openwall.com/lists/oss-security/2021/04/21/2
• https://github.com/advisories/GHSA-2959-fj73-hm8p