CVE-2019-10387

2019-08-0715:15:13

Google

osv.dev

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.6%

JSON

A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CPENameOperatorVersion
xltestview-plugineqxltest-plugin-plugin-1.1.0-beta-1
xltestview-plugineqxltest-plugin-plugin-1.1.0-beta-4
xltestview-plugineqxltest-plugin-plugin-1.1.0-beta-5
xltestview-plugineqxltest-plugin-plugin-1.1.0-beta-2
xltestview-plugineqxltestview-plugin-1.1.1
xltestview-plugineqxltestview-plugin-1.2.0
xltestview-plugineqxltestview-plugin-plugin-1.0.1
xltestview-plugineqxltestview-plugin-plugin-1.0.0-beta-2
xltestview-plugineqxltest-plugin-plugin-1.1.0
xltestview-plugineqxltest-plugin-plugin-2.2.2-beta-2

Name	Operator	Version
xltestview-plugin	eq	xltest-plugin-plugin-1.1.0-beta-1
xltestview-plugin	eq	xltest-plugin-plugin-1.1.0-beta-4
xltestview-plugin	eq	xltest-plugin-plugin-1.1.0-beta-5
xltestview-plugin	eq	xltest-plugin-plugin-1.1.0-beta-2
xltestview-plugin	eq	xltestview-plugin-1.1.1
xltestview-plugin	eq	xltestview-plugin-1.2.0
xltestview-plugin	eq	xltestview-plugin-plugin-1.0.1
xltestview-plugin	eq	xltestview-plugin-plugin-1.0.0-beta-2
xltestview-plugin	eq	xltest-plugin-plugin-1.1.0
xltestview-plugin	eq	xltest-plugin-plugin-2.2.2-beta-2