#VU21533 Permissions, Privileges, and Access Controls in Configuration as Code - CVE-2019-10344

Cybersecurity Help s.r.o.

Published: 2019-10-04

Vulnerability identifier: #VU21533

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-10344

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Configuration as Code
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to missing permission checks in various HTTP endpoints. A remote authenticated attacker with Overall/Read access can access the generated schema and documentation for this plugin containing detailed information about installed plugins.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Configuration as Code: 0.1 - 1.24

External links
https://www.openwall.com/lists/oss-security/2019/07/31/1
https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1290

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Configuration as Code plugin for Jenkins