Vulnerabilities > CVE-2019-10369 - Missing Authorization vulnerability in Jenkins Jclouds

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

jenkins

CWE-862

NVD

Published: 2019-08-07

Updated: 2024-11-21

Summary

A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Vulnerable Configurations

Part	Description	Count
Application	Jenkins Jenkins Jclouds - Jenkins Jclouds 2.4.1 Jenkins Jclouds 2.5 Jenkins Jclouds 2.6 Jenkins Jclouds 2.7 Jenkins Jclouds 2.8 Jenkins Jclouds 2.8.1-1 Jenkins Jclouds 2.9 Jenkins Jclouds 2.10 Jenkins Jclouds 2.11 Jenkins Jclouds 2.12 Jenkins Jclouds 2.13 Jenkins Jclouds 2.14	13

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References