CVE-2019-10333

Name of the Vulnerable Software and Affected Versions Jenkins ElectricFlow Plugin version 1.1.5 and earlier CloudBees CD Plugin (affected versions not specified)

Description The issue concerns missing permission checks in various HTTP endpoints of the Jenkins ElectricFlow Plugin and form validation and autocompletion methods in the CloudBees CD Plugin. This allowed users with Overall/Read access to obtain sensitive information about the plugin configurations and connected ElectricFlow instances. The affected endpoints and methods have been updated to require Overall/Administer or Job/Configure permission.

Recommendations For Jenkins ElectricFlow Plugin version 1.1.5 and earlier, update the plugin to a version that includes the necessary permission checks. For CloudBees CD Plugin, ensure that the form validation and autocompletion methods are updated to require Overall/Administer or Job/Configure permission, as appropriate for the given method.