Missing Permission Check in Jenkins ElectricFlow Plugin Allows Unauthorized URL Connections
CVE-2019-10332
4.3MEDIUM
Summary
The ElectricFlow Plugin for Jenkins contains a missing permission check, impacting versions 1.1.5 and earlier. This vulnerability permits users with Overall/Read access to connect to arbitrary URLs specified by an attacker, utilizing attacker-defined credentials. Such unrestricted access can lead to unauthorized information exposure and potential exploitation of connected systems, highlighting the importance of robust permission validation in plugin configurations.
Affected Version(s)
Jenkins ElectricFlow Plugin 1.1.5 and earlier
References
CVSS V3.1
Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved