CVE-2019-10333 – org.jenkins-ci.plugins:electricflow

Package

Manager: maven
Name: org.jenkins-ci.plugins:electricflow
Vulnerable Version: >=0 <1.1.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00041 pctl0.11596

Details

Jenkins ElectricFlow Plugin Missing permission checks Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers. These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method.

Metadata

Created: 2022-05-24T16:47:43Z
Modified: 2023-10-26T22:17:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m8f2-9282-x38v/GHSA-m8f2-9282-x38v.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-m8f2-9282-x38v
Finding: F039
Auto approve: 1