First published: Tue Jun 11 2019(Updated: )
A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Electricflow | <=1.1.5 | |
maven/org.jenkins-ci.plugins:electricflow | <=1.1.6 | 1.1.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2019-10332.
The affected software is Jenkins ElectricFlow Plugin.
The severity level of CVE-2019-10332 is medium with a severity value of 4.3.
Attackers with Overall/Read permission can initiate a connection test to an attacker-specified server with an attacker-specified username and password.
Yes, the vulnerability can be fixed by updating to version 1.1.6 or later.