QwikSec

Security Database

CVE

CWE

Training

CVE-2019-10369

Published: Aug 7, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Vendor	Product	Versions
Jenkins project	Jenkins JClouds Plugin	affected `2.14 and earlier`

References

[oss-security] 20190807 Multiple vulnerabilities in Jenkins plugins

mailing-list

x_refsource_MLIST

https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1482

x_refsource_CONFIRM

[jclouds-notifications] 20200106 [jira] [Created] (JCLOUDS-1536) SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)

mailing-list

x_refsource_MLIST

[jclouds-notifications] 20200107 [jira] [Resolved] (JCLOUDS-1536) SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)

mailing-list

x_refsource_MLIST

[jclouds-notifications] 20200107 [jira] [Commented] (JCLOUDS-1536) SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.