CVE-2019-16567: Jenkins Team Concert Plugin missing permission check
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.0722%
CWE
Published
5/24/2022
Updated
10/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:teamconcert | maven | <= 1.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly mentions missing permission checks in form-related methods that allow credential ID enumeration. Jenkins plugins typically use 'doFill[Field]Items' methods to populate dropdown lists in configuration forms
. These methods are vulnerable when they lack @RequirePermissions
annotations or equivalent authorization checks. The advisory specifically references credential ID exposure through form validation
, which aligns with this common Jenkins plugin pattern.