Missing Permission Check in Jenkins ElectricFlow Plugin Allows Unauthorized URL Connections
CVE-2019-10332

4.3MEDIUM

Key Information:

Vendor

Jenkins
Status
Jenkins Electricflow Plugin
Vendor
CVE Published:
11 June 2019

What is CVE-2019-10332?

The ElectricFlow Plugin for Jenkins contains a missing permission check, impacting versions 1.1.5 and earlier. This vulnerability permits users with Overall/Read access to connect to arbitrary URLs specified by an attacker, utilizing attacker-defined credentials. Such unrestricted access can lead to unauthorized information exposure and potential exploitation of connected systems, highlighting the importance of robust permission validation in plugin configurations.

Affected Version(s)

Jenkins ElectricFlow Plugin 1.1.5 and earlier

References

http://www.openwall.com/lists/oss-security/2019/06/11/1
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/108747
vdb-entryx_refsource_BID
https://jenkins.io/security/advisory/2019-06-11/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.