CVE-2019-10319 — Missing Authorization in Project Jenkins PAM Authentication Plugin

CWE-862 — Missing Authorization2 documents2 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 89.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins PAM Authentication Plugin Jenkins Pluggable Authentication Module Jenkins Credentials Plugin +1 more

Timeline

PublishedMay 21

Description

A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶jenkinsjenkins/pam_authentication_plugin

▶CVEListV5jenkins_project/jenkins_pam_authentication_plugin1.5 and earlier, except 1.4.1

▶jenkinsjenkins/credentials_plugin

▶NVDjenkins/pluggable_authentication_module6 versions+5

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-05-21↗2019-05-21

▶