Description

A missing permission check in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Remediation

References

CVE-2019-10322

Related Vulnerabilities

WordPress Plugin Photoswipe Masonry Gallery Unspecified Vulnerability (1.2.17)

WordPress Plugin Backend Localization Multiple Cross-Site Scripting Vulnerabilities (1.6.1)

Liferay DXP CVE-2024-25148 Vulnerability (CVE-2024-25148)

WordPress Plugin Google Analytics Dashboard Plugin for WordPress by MonsterInsights 404 Error Page Cross-Site Scripting (3.2.4)

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-29509)

Severity

Medium

Classification

CVE-2019-10322 CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities