GHSA-jww4-2793-9gmg

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Jenkins CRX Content Package Deployer Plugin subject to Missing Authorization

A missing permission check in Jenkins CRX Content Package Deployer Plugin prior to version 1.9 allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. This issue is patched in 1.9

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:crx-content-package-deployer

maven

Затронутые версииВерсия исправления

< 1.9

1.9

EPSS

Процентиль: 15%

0.00048

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2019-10438

Дефекты

CWE-285

CWE-862

Связанные уязвимости

CVE-2019-10438

CVSS3: 6.5

nvd

больше 6 лет назад

A missing permission check in Jenkins CRX Content Package Deployer Plugin 1.8.1 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

EPSS

Процентиль: 15%

0.00048

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2019-10438

Дефекты

CWE-285

CWE-862