CVE-2019-10369

2019-08-0715:15:12

Google

osv.dev

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.5%

JSON

A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CPENameOperatorVersion
jclouds-plugineqjclouds-jenkins-parent-2.7
jclouds-plugineqjclouds-jenkins-2.2.1
jclouds-plugineqjclouds-jenkins-2.3
jclouds-plugineqjclouds-jenkins-2.9
jclouds-plugineqjclouds-jenkins-2.6
jclouds-plugineqjclouds-jenkins-2.10
jclouds-plugineqjclouds-jenkins-2.4
jclouds-plugineqjclouds-jenkins-2.8
jclouds-plugineqjclouds-jenkins-2.14
jclouds-plugineqjclouds-jenkins-2.1.1

Name	Operator	Version
jclouds-plugin	eq	jclouds-jenkins-parent-2.7
jclouds-plugin	eq	jclouds-jenkins-2.2.1
jclouds-plugin	eq	jclouds-jenkins-2.3
jclouds-plugin	eq	jclouds-jenkins-2.9
jclouds-plugin	eq	jclouds-jenkins-2.6
jclouds-plugin	eq	jclouds-jenkins-2.10
jclouds-plugin	eq	jclouds-jenkins-2.4
jclouds-plugin	eq	jclouds-jenkins-2.8
jclouds-plugin	eq	jclouds-jenkins-2.14
jclouds-plugin	eq	jclouds-jenkins-2.1.1