1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1099

[JENKINS:SECURITY-1099] `avatar` allows changing other users' avatars

Severity Medium
Affected Packages 2
CVEs 1
Info Packages References Vulnerabilities

avatar does not implement a permission check for the HTTP URL used to replace user avatars.
This allows any user with Overall/Read permission to change any other user's avatar, in addition to their own.

As of publication of this advisory, there is no fix.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/avatar <= 1.2
pkg:github/jenkinsci/avatar-plugin <= 1.2
ID
JENKINS:SECURITY-1099
Severity
medium
Published
2019-08-07T00:00:00
(5 years ago)
Modified
2019-08-07T00:00:00
(5 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository avatar repository https://github.com/jenkinsci/avatar-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/avatar org.jenkins-ci.plugins avatar <= 1.2
Affected pkg:github/jenkinsci/avatar-plugin jenkinsci avatar-plugin <= 1.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date