CVE-2019-10333

MEDIUM4.3EPSS 0.04%

Jenkins ElectricFlow Plugin Missing permission checks

Published: 5/24/2022Modified: 2/16/2024

Description

Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers. These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method.

Affected packages (1)

Maven/org.jenkins-ci.plugins:electricflowfrom 0, < 1.1.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10333
WEBhttps://jenkins.io/security/advisory/2019-06-11/#SECURITY-1410%20(2)
WEBhttps://web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747
WEBhttp://www.openwall.com/lists/oss-security/2019/06/11/1