PT-2019-11692 · Jenkins · Jenkins Netsparker Cloud Scan Plugin+1
Viktor Gazdag
·
Published
2019-04-04
·
Updated
2023-10-25
·
CVE-2019-10290
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Netsparker Cloud Scan Plugin version 1.1.5 and older
Description
A missing permission check in the NCScanBuilder.DescriptorImpl#doValidateAPI form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
Recommendations
For Jenkins Netsparker Cloud Scan Plugin version 1.1.5 and older, consider disabling the
doValidateAPI function in the NCScanBuilder.DescriptorImpl class until a patch is available. Restrict access to the plugin to minimize the risk of exploitation.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Netsparker Cloud Scan Plugin