CVE-2019-10354 — Missing Authorization in Jenkins

CWE-862 — Missing Authorization CWE-425 — Forced Browsing CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 58.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Project Jenkins Redhat Openshift Container Platform

Timeline

PublishedJul 17

Latest updateMay 24

Description

A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDjenkins/jenkins2.176.1+1

▶CVEListV5jenkins_project/jenkins2.185 and earlier, LTS 2.176.1 and earlier

Also affects: Openshift Container Platform 3.11, 4.1

🔴Vulnerability Details

OSV

Missing Authorization in Jenkins↗2022-05-24

▶

GHSA

Missing Authorization in Jenkins↗2022-05-24

▶

CVEList

CVE-2019-10354: A vulnerability in the Stapler web framework used in Jenkins 2↗2019-07-17

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-07-17↗2019-07-17

▶

Red Hat

jenkins: Unauthorized view fragment access (SECURITY-534)↗2019-07-17

▶

💬Community

Bugzilla

CVE-2019-10354 jenkins: Unauthorized view fragment access (SECURITY-534) [fedora-all]↗2019-07-17

▶

Bugzilla

CVE-2019-10354 jenkins: Unauthorized view fragment access (SECURITY-534)↗2019-07-17

▶