First published: Fri May 31 2019(Updated: )
A missing permission check in Jenkins Artifactory Plugin 3.2.3 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jfrog Artifactory | <=3.2.3 | |
maven/org.jenkins-ci.plugins:artifactory | <=3.2.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-10323 is medium, with a severity value of 4.3.
CVE-2019-10323 affects Jfrog Artifactory version 3.2.3 and earlier.
CVE-2019-10323 allows any user with Overall/Read permission to view a list of valid credential IDs in Jenkins Artifactory Plugin.
Yes, upgrading to a version later than 3.2.3 of Jenkins Artifactory Plugin can fix CVE-2019-10323.
You can find more information about CVE-2019-10323 at the following references: - http://www.openwall.com/lists/oss-security/2019/05/31/2 - http://www.securityfocus.com/bid/108540 - https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1015%20(2)