CVE-2019-10333
Description
Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2019-10333: Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier allow users with Overall/Read access to leak plugin and connected instance configuration.
Vulnerability
CVE-2019-10333 identifies missing permission checks in the Jenkins ElectricFlow Plugin (formerly CloudBees CD Plugin) version 1.1.5 and earlier. Several HTTP endpoints did not verify that the requesting user had the necessary permissions, allowing any user with the default Overall/Read access to access sensitive configuration data. [1][2]
Exploitation
An attacker with only Overall/Read access to a Jenkins instance can exploit these endpoints by simply sending HTTP requests to the vulnerable URLs. No authentication beyond the basic Jenkins user session is required, and the attack does not need to bypass any other access controls. The ease of exploitation is increased because the endpoints are part of the plugin's normal operation, making them discoverable. [2]
Impact
Successful exploitation allows the attacker to obtain the Jenkins ElectricFlow Plugin configuration, which may include connection settings, credentials, and details about connected ElectricFlow instances. This information leakage could enable further attacks against the ElectricFlow infrastructure or expose internal network configurations. [1][2]
Mitigation
The vulnerability is fixed in ElectricFlow Plugin version 1.1.7, released on 2019-06-11. Administrators are strongly advised to upgrade immediately. No known workarounds are available; upgrading is the only complete mitigation. The vulnerability is not listed in CISA KEV. [3]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:electricflowMaven | < 1.1.7 | 1.1.7 |
Affected products
2- Jenkins project/Jenkins ElectricFlow Pluginv5Range: 1.1.5 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-m8f2-9282-x38vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10333ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/06/11/1ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/108747mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-06-11/mitrex_refsource_CONFIRM
- jenkins.io/security/advisory/2019-06-11/ghsaWEB
- web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747ghsaWEB
News mentions
0No linked articles in our index yet.