Description
A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password.
Published: 2026-06-24
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing permission check in Jenkins Assembla Plugin 1.4 and earlier permits an attacker with Overall/Read permission to connect to an attacker‑specified URL using an attacker‑specified username and password. The flaw enables the plugin to send those credentials to arbitrary external endpoints.

Affected Systems

The Jenkins Project Assembla Plugin versions 1.4 and all earlier releases are affected. Jenkins installations deploying these plugin versions are at risk.

Risk and Exploitability

There is no documented exploitation. EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The CVSS score of 5.4 indicates a moderate level of risk. The likely attack vector is internal within a Jenkins environment where a user with read privileges triggers the plugin. The missing permission check makes it trivial for such a user to activate outbound requests to arbitrary URLs.

Generated by OpenCVE AI on June 24, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Assembla Plugin to a version that includes a fix for the missing permission check
  • Re‑evaluate and restrict Overall/Read permissions for untrusted users to enforce least privilege
  • Implement network monitoring or outbound request filtering to detect unexpected external connections from Jenkins plugins

Generated by OpenCVE AI on June 24, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Allows Credential Leakage in Jenkins Assembla Plugin
Weaknesses CWE-284

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Allows Credential Leakage in Jenkins Assembla Plugin
Weaknesses CWE-284

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:16:18.488Z

Reserved: 2026-06-24T08:41:44.359Z

Link: CVE-2026-57304

cve-icon Vulnrichment

Updated: 2026-06-24T14:15:16.520Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:00:13Z

Weaknesses