{"id":"CVE-2019-10377","details":"A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins.","aliases":["GHSA-mg72-h5gj-8gg7"],"modified":"2026-04-10T04:13:49.354507Z","published":"2019-08-07T15:15:12.783Z","references":[{"type":"ADVISORY","url":"https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1099"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/08/07/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/avatar-plugin","events":[{"introduced":"0"},{"last_affected":"e5a99f72d879b795e2e1a84f61902b0d6e67c9d9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.2"}]}}],"versions":["avatar-1.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10377.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}