4.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10333

GHSA ID

GHSA-m8f2-9282-x38v

EPSS Score

0.11723%

CWE

CWE-862

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10333

CVE-2019-10333: Jenkins ElectricFlow Plugin Missing permission checks

Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers.

These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method.

(GitHub Advisory)

4.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10333

GHSA ID

GHSA-m8f2-9282-x38v

EPSS Score

0.11723%

CWE

CWE-862

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:electricflow	maven	<= 1.1.6	1.1.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on missing permission checks in form validation (doCheck*) and autocompletion (doAutoComplete*) methods. Based on Jenkins plugin conventions and advisory details about configuration/data exposure through these methods, we identify:- 1) Server configuration validation in global settings- 2) Project name autocompletion in build steps- 3) Application name validation in deployment steps. These align with the CVE's description of attack vectors and the ElectricFlow integration points. Confidence is medium due to inferred method names from patterns rather than explicit patch diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rious *orm v*li**tion *n* *orm *uto*ompl*tion m*t*o*s in *lou****s ** Plu*in l**k** p*rmission ****ks. T*is *llow** *tt**k*rs wit* Ov*r*ll/R*** ****ss to o*t*in in*orm*tion **out t** *on*i*ur*tion o* *lou****s ** Plu*in, *s w*ll *s t** *on*i*ur*tio

Reasoning

T** vuln*r**ility **nt*rs on missin* p*rmission ****ks in *orm v*li**tion (*o****k*) *n* *uto*ompl*tion (*o*uto*ompl*t**) m*t*o*s. **s** on J*nkins plu*in *onv*ntions *n* **visory **t*ils **out *on*i*ur*tion/**t* *xposur* t*rou** t**s* m*t*o*s, w* i*

4.3

Basic Information

Concerned about an active attack path?

CVE-2019-10333: Jenkins ElectricFlow Plugin Missing permission checks

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI