CVE-2019-10472

Published: Oct 23, 2019Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Affected (1)

Products: Jenkins: Libvirt Slaves

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Libvirt Slaves	Up to 1.8.5

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (4)

http://www.openwall.com/lists/oss-security/2019/10/23/2

Source: jenkinsci-cert@googlegroups.com

Mailing ListThird Party Advisory

https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1014%20%281%29

Source: jenkinsci-cert@googlegroups.com

http://www.openwall.com/lists/oss-security/2019/10/23/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1014%20%281%29

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.