CVE-2019-10333: Jenkins ElectricFlow Plugin Missing permission checks
4.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.11723%
CWE
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:electricflow | maven | <= 1.1.6 | 1.1.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on missing permission checks in form validation (doCheck*) and autocompletion (doAutoComplete*) methods. Based on Jenkins plugin conventions and advisory details about configuration/data exposure through these methods, we identify:- 1) Server configuration validation in global settings- 2) Project name autocompletion in build steps- 3) Application name validation in deployment steps. These align with the CVE's description of attack vectors and the ElectricFlow integration points. Confidence is medium due to inferred method names from patterns rather than explicit patch diffs.