Improper Authorization in Jenkins Configuration Plugin by CloudBees

CVE-2019-10344

What is CVE-2019-10344?

The Jenkins Configuration as Code Plugin prior to version 1.24 contains a flaw where missing permission checks on critical HTTP endpoints allow users with Overall/Read access to obtain sensitive information. This unauthorized access enables these users to view the generated schema and documentation pertaining to the plugin, potentially exposing insights about other installed plugins and configurations. The oversight raises significant security implications for environments utilizing Jenkins.

References