[MAVEN:GHSA-66R6-RVV9-9X6M] Jenkins ElectricFlow Plugin missing permission check

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

A missing permission check in a form validation method in CloudBees CD Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password.

Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/electricflow	<= 1.1.6

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/electricflow	= 1.1.7

ID

MAVEN:GHSA-66R6-RVV9-9X6M

Severity

moderate

URL

https://github.com/advisories/GHSA-66r6-rvv9-9x6m

Published

2022-05-24T16:47:43
(2 years ago)

Modified

2023-10-26T22:16:27
(10 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-1410-1

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2019-10332
			https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1410%20(1)
			http://www.openwall.com/lists/oss-security/2019/06/11/1
			https://web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747
			https://github.com/advisories/GHSA-66r6-rvv9-9x6m

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/electricflow	org.jenkins-ci.plugins	electricflow	<= 1.1.6
Fixed	pkg:maven/org.jenkins-ci.plugins/electricflow	org.jenkins-ci.plugins	electricflow	= 1.1.7

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date