CVE-2019-10323
published 2019-05-31CVE-2019-10323: A missing permission check in Jenkins Artifactory Plugin 3.2.3 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
1.88%
76.8th percentile
A missing permission check in Jenkins Artifactory Plugin 3.2.3 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | artifactory_plugin | — | — |
| jenkins | gitea_plugin | — | — |
| jenkins | ids_to_allow_users_configuring_the_plugin | — | — |
| jenkins | improper_handling_of_untrusted_branches_in_gitea_plugin | — | — |
| jenkins | influxdb_plugin | — | — |
| jenkins | pipeline_maven_integration_plugin | — | — |
| jenkins | pipeline_remote_loader_plugin | — | — |
| jenkins | warnings_plugin | — | — |
| jenkins_project | jenkins_artifactory_plugin | — | — |
| jfrog | artifactory | <= 3.2.3 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jenkins Artifactory Plugin missing permission check
ghsa·2022-05-24
CVE-2019-10323 [MEDIUM] CWE-862 Jenkins Artifactory Plugin missing permission check
Jenkins Artifactory Plugin missing permission check
Jenkins Artifactory Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.
This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.
As of publication of this advisory, no release containing a fix is available.
OSV
Jenkins Artifactory Plugin missing permission check
osv·2022-05-24
CVE-2019-10323 [MEDIUM] Jenkins Artifactory Plugin missing permission check
Jenkins Artifactory Plugin missing permission check
Jenkins Artifactory Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.
This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.
As of publication of this advisory, no release containing a fix is available.
Jenkins
Jenkins Security Advisory 2019-05-31
vendor_jenkins·2019-05-31·CVSS 5.4
CVE-2019-10321 [MEDIUM] Jenkins Security Advisory 2019-05-31
Title: Jenkins Security Advisory 2019-05-31
Jenkins Security Advisory 2019-05-31
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Artifactory
Plugin
Gitea
Plugin
InfluxDB
Plugin
Pipeline Maven Integration
Plugin
Pipeline Remote Loader
Plugin
Warnings
Plugin
Descriptions
Persisted XSS vulnerabili
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Multiple bugs in several Jenkins plugins
blogs_talos·2019-05-06·CVSS 4.3
[MEDIUM] Vulnerability Spotlight: Multiple bugs in several Jenkins plugins
## Vulnerability Spotlight: Multiple bugs in several Jenkins plugins
Peter Adkins of Cisco Umbrella discovered these vulnerabilities.
## Executive summary
Jenkins is an open-source automation server written in Java. There are several plugins that exist to integrate Jenkins with other pieces of software, such as GitLab. Today, Cisco Talos is disclosing vulnerabilities in three of these plugins: Swarm, Ansible and GitLab. All three of these are information disclosure vulnerabilities that could allow an attacker to trick the plugin into disclosing credentials from the Jenkins credential database to a server that they control. In accordance with our coordinated disclosure policy, Cisco Talos worked with Jenkins and the associated companies to ensure that these issues are resolved and that u
Talos
Vulnerability Spotlight: Multiple bugs in several Jenkins plugins
blogs_talos·2019-05-06·CVSS 4.3
[MEDIUM] Vulnerability Spotlight: Multiple bugs in several Jenkins plugins
Peter Adkins of Cisco Umbrella discovered these vulnerabilities.
### Executive summary
Jenkins is an open-source automation server written in Java. There are several plugins that exist to integrate Jenkins with other pieces of software, such as GitLab. Today, Cisco Talos is disclosing vulnerabilities in three of these plugins: Swarm, Ansible and GitLab. All three of these are information disclosure vulnerabilities that could allow an attacker to trick the plugin into disclosing credentials from the Jenkins credential database to a server that they control.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Jenkins and the associated companies to ensure that these issues are resolved and that updates are available for affected customers.
### Vulnerability deta
http://www.openwall.com/lists/oss-security/2019/05/31/2http://www.securityfocus.com/bid/108540https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1015%20%282%29https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0846http://www.openwall.com/lists/oss-security/2019/05/31/2http://www.securityfocus.com/bid/108540https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1015%20%282%29https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0846
2019-05-31
Published