Missing Permission Check in Jenkins Rundeck Plugin Allows Unauthorized URL Access
CVE-2019-10455

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Rundeck Plugin
Vendor: CVE Published:; 16 October 2019

What is CVE-2019-10455?

The Rundeck Plugin for Jenkins contains a security flaw that stems from a missing permission check. This vulnerability can be exploited by attackers who possess Overall/Read permissions, enabling them to connect to an attacker-defined URL using credentials specified by the attacker. This could potentially lead to unauthorized access to sensitive information and resources within the Jenkins environment.

Affected Version(s)

Jenkins Rundeck Plugin 3.6.5 and earlier

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2019
Vulnerability Reserved
Mar 29, 2019