Credentials plugin allows updating credentials IDs server-side. Only the UI prevents editing the ID field by default, and that can be circumvented by users with permission to update credentials.

As this ID collision is unexpected, the credentials management UI does not handle this case well (e.g., only listing one of the credentials with conflicting IDs).

This should be fixed so that credentials cannot have the same ID in the same store.

We've considered treating this as a vulnerability, but the impact is very similar to what users with Credentials/Update permission can accomplish legitimately (e.g., changing credentials to break builds), so we decided to not consider this to be a security issue.