CVE-2019-10369
MEDIUM4.2EPSS 0.07%Jenkins JClouds Plugin missing permission check
發布日:2022/5/24修改日:2024/2/16
描述
Jenkins JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability. This form validation method now requires POST requests and Overall/Administer permission.
受影響套件(1)
- Maven/org.jenkins-ci.plugins:jclouds-jenkinsfrom 0, < 2.15
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.2 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10369
- WEBhttps://jenkins.io/security/advisory/2019-08-07/#SECURITY-1482
- WEBhttps://lists.apache.org/thread.html/r42b7ff290ed5ec8f27f12c54fff54462ffc4bcf6a5015c37fece94ac@%3Cnotifications.jclouds.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r42b7ff290ed5ec8f27f12c54fff54462ffc4bcf6a5015c37fece94ac%40%3Cnotifications.jclouds.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r6c4693d03d15391814c647742db49a4d9937fa34573fb66103d57b45@%3Cnotifications.jclouds.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r6c4693d03d15391814c647742db49a4d9937fa34573fb66103d57b45%40%3Cnotifications.jclouds.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r725e55670dbdd214f3cfdfea255b72a75fa9a4f0c6c9d109b29c7881@%3Cnotifications.jclouds.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r725e55670dbdd214f3cfdfea255b72a75fa9a4f0c6c9d109b29c7881%40%3Cnotifications.jclouds.apache.org%3E
- WEBhttp://www.openwall.com/lists/oss-security/2019/08/07/1