Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tOGYyLTkyODIteDM4ds4AAg9-
Jenkins ElectricFlow Plugin Missing permission checks
Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers.
These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method.
Permalink: https://github.com/advisories/GHSA-m8f2-9282-x38vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tOGYyLTkyODIteDM4ds4AAg9-
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-m8f2-9282-x38v, CVE-2019-10333
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10333
- https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1410%20(2)
- http://www.openwall.com/lists/oss-security/2019/06/11/1
- https://web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747
- https://github.com/advisories/GHSA-m8f2-9282-x38v
Affected Packages
maven:org.jenkins-ci.plugins:electricflow
Affected Version Ranges: <= 1.1.6Fixed in: 1.1.7