Description
A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
Published: 2026-06-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing permission check in Jenkins Contrast Continuous Application Security Plugin version 3.11 and all earlier releases allows an attacker who has Overall or Read access in a Jenkins instance to configure the plugin to direct the Jenkins server to connect to an arbitrary external URL using attacker‑specified credentials. This is an authorization bypass (CWE‑862) that enables the attacker to force outbound network traffic from the Jenkins server, potentially exposing internal data or sending data to a malicious endpoint. No evidence of remote code execution is provided; the impact is limited to unauthorized external connectivity.

Affected Systems

The vulnerability affects installations that have the Contrast Continuous Application Security Plugin 3.11 or earlier. Only Jenkins environments where the plugin is present and a user has Overall or Read permissions are susceptible. If a Jenkins instance does not use this plugin or does not grant users the concerned permissions, the flaw does not apply.

Risk and Exploitability

The EPSS score is less than 1% and the flaw is not included in the CISA KEV catalog, suggesting no widespread exploitation has been observed. The CVSS score of 5.4 indicates moderate severity. Because the flaw requires only legitimate access to the Jenkins UI with Overall or Read privileges—permissions that many users may possess—affected installations can be considered at moderate to high risk. An attacker can use the UI or API to provide the plugin with a malicious endpoint, causing the Jenkins server to initiate outbound traffic and potentially exfiltrate data or communicate with compromised services.

Generated by OpenCVE AI on July 14, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins Contrast Continuous Application Security Plugin to the latest available version, which removes the missing permission check.
  • If an upgrade is not feasible, uninstall or disable the vulnerable plugin to eliminate the code path.
  • Restrict Overall or Read permissions to the minimal set of users required for Jenkins operation to reduce the number of users able to modify plugin configuration.
  • Implement firewall or network segmentation rules to block the Jenkins server from making outbound connections to untrusted external hosts.

Generated by OpenCVE AI on July 14, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Title Missing permission check enables unauthorized external connectivity in Jenkins Contrast Continuous Application Security Plugin

Mon, 13 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Title Unauthorized External Connectivity via Plugin Permission Gap

Sat, 11 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Title Unauthorized External Connectivity via Plugin Permission Gap

Thu, 09 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Allows Outbound Connections in Jenkins Contrast Continuous Application Security Plugin

Wed, 08 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Allows Outbound Connections in Jenkins Contrast Continuous Application Security Plugin

Tue, 07 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Enables Arbitrary Outbound Connections in Jenkins Contrast Plugin
Weaknesses CWE-284

Mon, 06 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins contrast Continuous Application Security
Jenkins Project
Jenkins Project jenkins Contrast Continuous Application Security Plugin
Vendors & Products Jenkins
Jenkins contrast Continuous Application Security
Jenkins Project
Jenkins Project jenkins Contrast Continuous Application Security Plugin

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Enables Arbitrary Outbound Connections in Jenkins Contrast Plugin
Weaknesses CWE-284

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
References

Subscriptions

Jenkins Contrast Continuous Application Security
Jenkins Project Jenkins Contrast Continuous Application Security Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-07-06T14:39:42.374Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57297

cve-icon Vulnrichment

Updated: 2026-06-24T14:40:00.247Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T12:15:10Z

Weaknesses