CVE-2019-16541

Aliases:GHSA-98m4-m2c3-qxgq
Advisory lineage Upstream: 0 Downstream: 2
Modified
Published: 21 Nov 2019, 14:11
Last modified:05 Aug 2024, 01:17

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.9 CRITICAL
v3.1 (nvd)
EPSS Score
0.47% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

21 Nov 2019, 14:11
Published
Vulnerability first disclosed
05 Aug 2024, 01:17
Last Modified
Vulnerability information updated

Description

Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope.

CVSS Metrics

  • v3.1CRITICALScore: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • v3.0MEDIUMScore: 6.5CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • v2.0MEDIUMScore: 6.5AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.47% Percentile: 65%

Techniques & Countermeasures

  • CWE-668Exposure of Resource to Wrong Sphere

    The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Affected Systems

  • jenkins projectjenkins jira plugin

    3.0.10 and earlier

  • jenkinsjira

    ≤ 3.0.10

  • org.jenkins-ci.pluginsjira

    < 3.0.11

References (5)