CVE-2019-10377
Description
Missing permission check in Jenkins Avatar Plugin allows attackers with Overall/Read access to change any user's avatar.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Avatar Plugin allows attackers with Overall/Read access to change any user's avatar.
Vulnerability
CVE-2019-10377 is a missing permission check in Jenkins Avatar Plugin version 1.2 and earlier. The plugin fails to verify that a user has the required permissions (e.g., Administer) before allowing avatar changes, relying only on Overall/Read access [1].
Exploitation
An attacker with Overall/Read access (the lowest default permission level in Jenkins) can exploit this flaw to change the avatar of any Jenkins user. No additional authentication or privileges are required beyond Overall/Read [2].
Impact
By altering a user's avatar, an attacker can conduct social engineering attacks, impersonate other users, or cause reputational damage. The impact is limited to avatar manipulation, but it undermines trust in user identity within the Jenkins environment [1].
Mitigation
As of the advisory publication date (2019-08-07), no fix for Avatar Plugin had been released; the vulnerability remains unresolved. Administrators are advised to restrict Overall/Read access to trusted users or consider removing the plugin if not in use [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.hurstfrost.jenkins:avatarMaven | >= 0 | — |
Affected products
2- Range: 1.2 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mg72-h5gj-8gg7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10377ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/08/07/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-08-07/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.