Insufficient Permission Checks in Jenkins Artifactory Plugin by CloudBees
CVE-2019-10322

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Artifactory Plugin
Vendor: CVE Published:; 31 May 2019

🔔 Create Jenkins Vulnerability Alert

What is CVE-2019-10322?

A vulnerability exists in the Jenkins Artifactory Plugin that allows users with Overall/Read access to connect to an arbitrary URL. This is due to a missing permission check in the ArtifactoryBuilder.DescriptorImpl#doTestConnection method. Attackers can exploit this flaw to utilize credentials stored in Jenkins, potentially leading to credential exposure for unauthorized users.

Affected Version(s)

Jenkins Artifactory Plugin 3.2.2 and earlier

References

http://www.openwall.com/lists/oss-security/2019/05/31/2

mailing-listx_refsource_MLIST

http://www.securityfocus.com/bid/108540

vdb-entryx_refsource_BID

https://www.talosintelligence.com/vulnerability_reports/T...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 31, 2019
Vulnerability Reserved
Mar 29, 2019

.

CVE-2019-10322 : Insufficient Permission Checks in Jenkins Artifactory Plugin by CloudBees