Miggo Logo

CVE-2019-10333: Jenkins ElectricFlow Plugin Missing permission checks

4.3

CVSS Score
3.0

Basic Information

EPSS Score
0.11723%
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:electricflowmaven<= 1.1.61.1.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on missing permission checks in form validation (doCheck*) and autocompletion (doAutoComplete*) methods. Based on Jenkins plugin conventions and advisory details about configuration/data exposure through these methods, we identify:- 1) Server configuration validation in global settings- 2) Project name autocompletion in build steps- 3) Application name validation in deployment steps. These align with the CVE's description of attack vectors and the ElectricFlow integration points. Confidence is medium due to inferred method names from patterns rather than explicit patch diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rious *orm v*li**tion *n* *orm *uto*ompl*tion m*t*o*s in *lou****s ** Plu*in l**k** p*rmission ****ks. T*is *llow** *tt**k*rs wit* Ov*r*ll/R*** ****ss to o*t*in in*orm*tion **out t** *on*i*ur*tion o* *lou****s ** Plu*in, *s w*ll *s t** *on*i*ur*tio

Reasoning

T** vuln*r**ility **nt*rs on missin* p*rmission ****ks in *orm v*li**tion (*o****k*) *n* *uto*ompl*tion (*o*uto*ompl*t**) m*t*o*s. **s** on J*nkins plu*in *onv*ntions *n* **visory **t*ils **out *on*i*ur*tion/**t* *xposur* t*rou** t**s* m*t*o*s, w* i*