Miggo Logo

CVE-2019-16567: Jenkins Team Concert Plugin missing permission check

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.0722%
Published
5/24/2022
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:teamconcertmaven<= 1.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions missing permission checks in form-related methods that allow credential ID enumeration. Jenkins plugins typically use 'doFill[Field]Items' methods to populate dropdown lists in configuration forms. These methods are vulnerable when they lack @RequirePermissions annotations or equivalent authorization checks. The advisory specifically references credential ID exposure through form validation, which aligns with this common Jenkins plugin pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins T**m *on**rt Plu*in *.*.* *n* **rli*r in *orm-r*l*t** m*t*o*s *llow** us*rs wit* Ov*r*ll/R*** ****ss to *num*r*t* *r***nti*ls I* o* *r***nti*ls stor** in J*nkins.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions missin* p*rmission ****ks in *orm-r*l*t** m*t*o*s t**t *llow *r***nti*l I* *num*r*tion. J*nkins plu*ins typi**lly us* '*o*ill[*i*l*]It*ms' m*t*o*s to popul*t* *rop*own lists in `*on*i*ur*tion *orms`.