CVE-2019-10438

CWE-862 — Missing Authorization CWE-2855 documents5 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 85.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins CRX Content Package Deployer Jenkins Project Jenkins CRX Content Package Deployer Plugin

Timeline

PublishedOct 16

Latest updateMay 24

Description

A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:crx-content-package-deployer< 1.9

▶CVEListV5jenkins_project/jenkins_crx_content_package_deployer_plugin1.8.1 and earlier

▶NVDjenkins/crx_content_package_deployer1.8.1

🔴Vulnerability Details

OSV

Jenkins CRX Content Package Deployer Plugin subject to Missing Authorization↗2022-05-24

▶

GHSA

Jenkins CRX Content Package Deployer Plugin subject to Missing Authorization↗2022-05-24

▶

CVEList

CVE-2019-10438: A missing permission check in Jenkins CRX Content Package Deployer Plugin 1↗2019-10-16

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-10-16↗2019-10-16

▶