CVE-2019-10354
MEDIUMJenkins < 2.176.1 and < 2.185 - Missing Authorization via Stapler Web Framework
Title source: llmDescription
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/07/17/2
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/109373
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2503
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2548
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534
Scores
CVSS v3
4.3
EPSS
0.0019
EPSS Percentile
40.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-862
Status
published
Products (6)
jenkins/jenkins
< 2.176.1
jenkins/jenkins
< 2.185
org.jenkins-ci.main/jenkins-core
0 - 2.176.2Maven
org.kohsuke.stapler/stapler-parent
0 - 1.257.1Maven
redhat/openshift_container_platform
3.11
redhat/openshift_container_platform
4.1
Published
Jul 17, 2019
Tracked Since
Feb 18, 2026