CVE-2019-10332
Description
A missing permission check in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins ElectricFlow Plugin allows users with Overall/Read access to connect to attacker-specified URL with attacker-specified credentials.
Vulnerability
Description CVE-2019-10332 is a missing permission check vulnerability in the Jenkins ElectricFlow Plugin (formerly CloudBees CD Plugin) versions 1.1.5 and earlier. The plugin's Configuration#doTestConnection method did not verify that the user had the necessary permissions to perform the connection test. This allowed any user with Overall/Read access to execute a connection test to an arbitrary URL using attacker-supplied credentials [1][2].
Attack
Vector and Requirements An attacker with Overall/Read access to Jenkins could exploit this flaw by crafting a malicious request to the doTestConnection endpoint. The attack requires no special privileges beyond the default read access and can be performed remotely over the network. The plugin would then attempt to connect to the attacker-controlled URL using the provided credentials, potentially leaking sensitive information or enabling further attacks [2][3].
Impact
Successful exploitation allows an attacker to perform server-side request forgery (SSRF) by making the Jenkins server connect to an arbitrary URL. This could be used to probe internal network services, access cloud metadata endpoints, or capture credentials if the attacker-controlled server logs authentication attempts. The missing permission check increases the attack surface for users with limited access [2].
Mitigation
The vulnerability is fixed in ElectricFlow Plugin version 1.1.7. Users should upgrade to this version or later. Administrators should also review their Jenkins instance for any indications of misuse and ensure that only trusted users have Overall/Read access [2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:electricflowMaven | < 1.1.7 | 1.1.7 |
Affected products
2- Jenkins project/Jenkins ElectricFlow Pluginv5Range: 1.1.5 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-66r6-rvv9-9x6mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10332ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/06/11/1ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/108747mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-06-11/mitrex_refsource_CONFIRM
- jenkins.io/security/advisory/2019-06-11/ghsaWEB
- web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747ghsaWEB
News mentions
0No linked articles in our index yet.