CVE Catalog

CVE-2026-57297

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.

Risk Assessment

The risk involves potential Server-Side Request Forgery (SSRF) attacks or data leakage, as an attacker can send requests to external servers while impersonating an authorized user.

Recommendation

It is recommended to immediately update the Contrast Continuous Application Security Plugin to a version newer than 3.11, which includes a fix for the missing permission check.

Original NVD description (English source)

A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS