Improper access control in Project Inheritance

#VU21361 Improper access control in Project Inheritance

Published: 2019-09-26

Vulnerability identifier: #VU21361

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-10409

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Project Inheritance
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due a missing permission check in the HTTP endpoint triggering project creation. A remote authenticated user with Overall/Read permission can bypass implemented security restrictions and create these projects from templates.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Project Inheritance: 1.4.8 - 19.08.01

External links
http://www.openwall.com/lists/oss-security/2019/09/25/3
http://jenkins.io/security/advisory/2019-09-25/#SECURITY-401

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Project Inheritance plugin for Jenkins