CVE-2019-10357 — Missing Authorization in Jenkins Pipeline

CWE-862 — Missing Authorization CWE-284 — Improper Access Control CWE-285 — Improper Authorization7 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 80.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Pipeline Jenkins Project Jenkins Pipeline Shared Groovy Libraries Plugin Redhat Openshift Container Platform

Timeline

PublishedJul 31

Latest updateMay 24

Description

A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_pipeline_shared_groovy_libraries_plugin2.14 and earlier

▶NVDjenkins/pipeline2.14

Also affects: Openshift Container Platform 3.11, 4.1

🔴Vulnerability Details

OSV

Missing Authorization in Jenkins Pipeline: Shared Groovy Libraries Plugin↗2022-05-24

▶

GHSA

Missing Authorization in Jenkins Pipeline: Shared Groovy Libraries Plugin↗2022-05-24

▶

CVEList

CVE-2019-10357: A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2↗2019-07-31

▶

📋Vendor Advisories

Red Hat

jenkins-plugin-workflow-cps-global-lib: Missing permission check in Pipeline: Shared Groovy Libraries Plugin↗2019-08-01

▶

Jenkins

Jenkins Security Advisory 2019-07-31↗2019-07-31

▶

💬Community

Bugzilla

CVE-2019-10357 jenkins-plugin-workflow-cps-global-lib: Missing permission check in Pipeline: Shared Groovy Libraries Plugin↗2019-08-01

▶