CVE-2019-16541 — Jenkins JIRA Plugin allows users to select and use credentials with System scope

Description

Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. Jira Plugin 3.0.11 defines the appropriate folder context for credential lookup. As a side effect, existing per-folder Jira sites may lose access to already configured System-scoped credentials, as if no credential was specified in the first place.

How to fix CVE-2019-16541

To remediate CVE-2019-16541, upgrade the affected package to a fixed version below.

—upgrade to 3.0.11 or later

Is CVE-2019-16541 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.0.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-16541
PATCHgithub.com/jenkinsci/jira-plugin
WEBgithub.com/jenkinsci/jira-plugin/commit/3214a54b6871d82cb34a26949aad93b0fa78d1a8
WEBjenkins.io/security/advisory/2019-11-21/#SECURITY-1106