Missing Permission Check in Jenkins XL TestView Plugin Allows Unauthorized URL Access
CVE-2019-10387

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Xl Testview Plugin
Vendor: CVE Published:; 7 August 2019

Summary

The Jenkins XL TestView Plugin has a vulnerability that arises from a missing permission check, which permits users with Overall/Read access to connect to arbitrary attacker-specified URLs. This risk is exacerbated as compromised users can utilize attacker-specified credentials IDs that can be obtained through other exploits, potentially exposing sensitive credentials stored in Jenkins. Administrators should evaluate their plugin configurations and consider updating to mitigate this security issue.

Affected Version(s)

Jenkins XL TestView Plugin 1.2.0 and earlier

References

http://www.openwall.com/lists/oss-security/2019/08/07/1

mailing-listx_refsource_MLIST

https://jenkins.io/security/advisory/2019-08-07/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 7, 2019
Vulnerability Reserved
Mar 29, 2019