Description
A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins.
Remediation
References
https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1099
http://www.openwall.com/lists/oss-security/2019/08/07/1
Related Vulnerabilities
CVE-2020-28500 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash
CVE-2022-29770 Vulnerability in maven package com.xuxueli:xxl-job
CVE-2021-31409 Vulnerability in maven package com.vaadin:vaadin-compatibility-server
CVE-2021-21633 Vulnerability in maven package org.jenkins-ci.plugins:dependency-track
CVE-2020-2149 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector