Skip to main content

Contrast Security Plugin EUVDEUVD-2026-38780

| CVE-2026-57299 MEDIUM
Missing Authorization (CWE-862)
2026-06-24 jenkins GHSA-8263-qv4g-vfxr
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Enumeration of metadata names is a confidentiality impact (C:L), not integrity; all other metrics align with the provided CVSS vector.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 26, 2026 - 04:30 vuln.today
CVSS changed
Jun 26, 2026 - 02:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 24, 2026 - 13:20 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata.

AnalysisAI

Missing authorization checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow any authenticated Jenkins user with the low-privilege Overall/Read permission to enumerate the names of configured Contrast metadata via a network-accessible endpoint. The vulnerability is classified CWE-862 (Missing Authorization) and has an EPSS score of 0.15% (4th percentile), indicating negligible real-world exploitation activity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid Jenkins account with Overall/Read permission
Delivery
Send crafted HTTP request to Contrast plugin metadata endpoint
Exploit
Bypass missing permission check (CWE-862)
Execution
Enumerate names of all configured Contrast metadata entries
Impact
Use metadata names for targeted reconnaissance

Vulnerability AssessmentAI

Exploitation The attacker must be authenticated to the Jenkins instance with at minimum Overall/Read permission - the baseline access level for virtually any registered Jenkins user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.3 (Medium) vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N contains a notable inconsistency: the described impact - enumerating configured metadata names - is a confidentiality concern (C:L), not an integrity concern (I:L); defenders should verify the vector against the vendor advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3697%20(2) before relying on it for risk scoring. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Jenkins user holding only the default Overall/Read permission sends a crafted HTTP request to the Contrast plugin's metadata enumeration endpoint. Because no additional permission check is enforced, the plugin returns the names of all configured Contrast metadata entries. …
Remediation Upgrade the Jenkins Contrast Continuous Application Security Plugin to a version released after 3.11 by consulting the Jenkins Plugin Manager or the vendor advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3697%20(2); the exact fixed version is not independently confirmed from available data, so administrators should verify the latest release in the Jenkins update center. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy