CVE-2019-10333 — Jenkins ElectricFlow Plugin Missing permission checks

Description

Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers. These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method.

How to fix CVE-2019-10333

To remediate CVE-2019-10333, upgrade the affected package to a fixed version below.

—upgrade to 1.1.7 or later

Is CVE-2019-10333 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10333
WEBjenkins.io/security/advisory/2019-06-11/#SECURITY-1410%20(2)
WEBweb.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747
WEBwww.openwall.com/lists/oss-security/2019/06/11/1