Allele Security Alert
ASA-2019-00603
Identifier(s)
ASA-2019-00603, CVE-2019-10463, SECURITY-1483 (2)
Title
Missing permission check
Vendor(s)
Dynatrace Development Team
Dariusz Glugla
Piotr Lugowsk
Product(s)
Jenkins Dynatrace Application Monitoring Plugin
Affected version(s)
Jenkins Dynatrace Application Monitoring Plugin versions before 2.1.4
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
Dynatrace Application Monitoring Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker specified username and password.
Technical details
Unknown
Credits
Viktor Gazdag (NCC Group)
Reference(s)
Jenkins Security Advisory 2019-10-23
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1483 (2)
Jenkins security advisory
https://groups.google.com/d/msg/jenkinsci-advisories/KCv6eDsiV3Y/GNr0aDC3AQAJ
oss-security – Multiple vulnerabilities in Jenkins plugins
https://www.openwall.com/lists/oss-security/2019/10/23/2
Dynatrace Application Monitoring
https://plugins.jenkins.io/dynatrace-dashboard
CVE-2019-10463
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10463
CVE-2019-10463
https://nvd.nist.gov/vuln/detail/CVE-2019-10463
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 4, 2019