CVE-2019-10333

MEDIUM4.3EPSS 0.04%

Jenkins ElectricFlow Plugin Missing permission checks

發布日:2022/5/24修改日:2024/2/16

描述

Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers. These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method.

受影響套件(1)

Maven/org.jenkins-ci.plugins:electricflowfrom 0, < 1.1.7

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10333
WEBhttps://jenkins.io/security/advisory/2019-06-11/#SECURITY-1410%20(2)
WEBhttps://web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747
WEBhttp://www.openwall.com/lists/oss-security/2019/06/11/1