From f3ad0e959aef2fb3d5626ed7a186bc99bb17692f Mon Sep 17 00:00:00 2001
From: Kurt Seifried <kurt@seifried.org>
Date: Wed, 6 Mar 2019 14:45:30 -0800
Subject: [PATCH 1/2] Jenkins CVEs

---
 2019/1003xxx/CVE-2019-1003029.json | 1 +
 2019/1003xxx/CVE-2019-1003030.json | 1 +
 2019/1003xxx/CVE-2019-1003031.json | 1 +
 2019/1003xxx/CVE-2019-1003032.json | 1 +
 2019/1003xxx/CVE-2019-1003033.json | 1 +
 2019/1003xxx/CVE-2019-1003034.json | 1 +
 2019/1003xxx/CVE-2019-1003035.json | 1 +
 2019/1003xxx/CVE-2019-1003036.json | 1 +
 2019/1003xxx/CVE-2019-1003037.json | 1 +
 2019/1003xxx/CVE-2019-1003038.json | 1 +
 2019/1003xxx/CVE-2019-1003039.json | 1 +
 11 files changed, 11 insertions(+)
 create mode 100644 2019/1003xxx/CVE-2019-1003029.json
 create mode 100644 2019/1003xxx/CVE-2019-1003030.json
 create mode 100644 2019/1003xxx/CVE-2019-1003031.json
 create mode 100644 2019/1003xxx/CVE-2019-1003032.json
 create mode 100644 2019/1003xxx/CVE-2019-1003033.json
 create mode 100644 2019/1003xxx/CVE-2019-1003034.json
 create mode 100644 2019/1003xxx/CVE-2019-1003035.json
 create mode 100644 2019/1003xxx/CVE-2019-1003036.json
 create mode 100644 2019/1003xxx/CVE-2019-1003037.json
 create mode 100644 2019/1003xxx/CVE-2019-1003038.json
 create mode 100644 2019/1003xxx/CVE-2019-1003039.json

diff --git a/2019/1003xxx/CVE-2019-1003029.json b/2019/1003xxx/CVE-2019-1003029.json
new file mode 100644
index 00000000000..5b300e06c45
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003029.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(1)"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.53 and earlier"}]},"product_name": "Jenkins Script Security Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.383669","ID": "CVE-2019-1003029","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003030.json b/2019/1003xxx/CVE-2019-1003030.json
new file mode 100644
index 00000000000..53e31278b52
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003030.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(2)"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.63 and earlier"}]},"product_name": "Jenkins Pipeline: Groovy Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.384525","ID": "CVE-2019-1003030","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003031.json b/2019/1003xxx/CVE-2019-1003031.json
new file mode 100644
index 00000000000..b1016a4aee4
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003031.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1339"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.13 and earlier"}]},"product_name": "Jenkins Matrix Project Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.384911","ID": "CVE-2019-1003031","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003032.json b/2019/1003xxx/CVE-2019-1003032.json
new file mode 100644
index 00000000000..63cb9390312
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003032.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1340"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.64 and earlier"}]},"product_name": "Jenkins Email Extension Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.385288","ID": "CVE-2019-1003032","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003033.json b/2019/1003xxx/CVE-2019-1003033.json
new file mode 100644
index 00000000000..ee59595de01
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003033.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1338"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.1 and earlier"}]},"product_name": "Jenkins Groovy Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.385701","ID": "CVE-2019-1003033","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003034.json b/2019/1003xxx/CVE-2019-1003034.json
new file mode 100644
index 00000000000..137c5f27b14
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003034.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1342"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.71 and earlier"}]},"product_name": "Jenkins Job DSL Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386102","ID": "CVE-2019-1003034","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003035.json b/2019/1003xxx/CVE-2019-1003035.json
new file mode 100644
index 00000000000..a87a3898c48
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003035.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1330"}]},"description": {"description_data": [{"lang": "eng","value": "An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java,  src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386559","ID": "CVE-2019-1003035","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-201"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003036.json b/2019/1003xxx/CVE-2019-1003036.json
new file mode 100644
index 00000000000..308b010483c
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003036.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1331"}]},"description": {"description_data": [{"lang": "eng","value": "A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386888","ID": "CVE-2019-1003036","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-352"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003037.json b/2019/1003xxx/CVE-2019-1003037.json
new file mode 100644
index 00000000000..20a4186585e
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003037.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1332"}]},"description": {"description_data": [{"lang": "eng","value": "An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.387239","ID": "CVE-2019-1003037","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-201"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003038.json b/2019/1003xxx/CVE-2019-1003038.json
new file mode 100644
index 00000000000..07f4d40f87f
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003038.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-958"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/Repository.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/UserPwd.java that allows an attacker with local file system access or control of a Jenkins administrator\u2019s web browser (e.g. malicious extension) to retrieve the password stored in the plugin configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.2.4 and earlier"}]},"product_name": "Jenkins Repository Connector Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.387698","ID": "CVE-2019-1003038","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003039.json b/2019/1003xxx/CVE-2019-1003039.json
new file mode 100644
index 00000000000..2e7166656f1
--- /dev/null
+++ b/2019/1003xxx/CVE-2019-1003039.json
@@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1087"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in JenkinsAppDynamics Dashboard Plugin 1.0.14 and earlier in src/main/java/nl/codecentric/jenkins/appd/AppDynamicsResultsPublisher.java that allows attackers without permission to obtain passwords configured in jobs to obtain them."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.0.14 and earlier"}]},"product_name": "JenkinsAppDynamics Dashboard Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.388179","ID": "CVE-2019-1003039","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}}
\ No newline at end of file

From 9cc108fb1365cabb934c81d782386b85d0f14486 Mon Sep 17 00:00:00 2001
From: Daniel Beck <cve@beckweb.net>
Date: Fri, 8 Mar 2019 15:15:27 +0100
Subject: [PATCH 2/2] Fix URLs

---
 2019/1003xxx/CVE-2019-1003031.json | 2 +-
 2019/1003xxx/CVE-2019-1003032.json | 2 +-
 2019/1003xxx/CVE-2019-1003033.json | 2 +-
 2019/1003xxx/CVE-2019-1003034.json | 2 +-
 2019/1003xxx/CVE-2019-1003035.json | 2 +-
 2019/1003xxx/CVE-2019-1003036.json | 2 +-
 2019/1003xxx/CVE-2019-1003037.json | 2 +-
 2019/1003xxx/CVE-2019-1003038.json | 2 +-
 2019/1003xxx/CVE-2019-1003039.json | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/2019/1003xxx/CVE-2019-1003031.json b/2019/1003xxx/CVE-2019-1003031.json
index b1016a4aee4..3045fed42fb 100644
--- a/2019/1003xxx/CVE-2019-1003031.json
+++ b/2019/1003xxx/CVE-2019-1003031.json
@@ -1 +1 @@
-{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1339"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.13 and earlier"}]},"product_name": "Jenkins Matrix Project Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.384911","ID": "CVE-2019-1003031","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1339"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.13 and earlier"}]},"product_name": "Jenkins Matrix Project Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.384911","ID": "CVE-2019-1003031","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003032.json b/2019/1003xxx/CVE-2019-1003032.json
index 63cb9390312..7433c1ca5f9 100644
--- a/2019/1003xxx/CVE-2019-1003032.json
+++ b/2019/1003xxx/CVE-2019-1003032.json
@@ -1 +1 @@
-{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1340"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.64 and earlier"}]},"product_name": "Jenkins Email Extension Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.385288","ID": "CVE-2019-1003032","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1340"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.64 and earlier"}]},"product_name": "Jenkins Email Extension Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.385288","ID": "CVE-2019-1003032","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003033.json b/2019/1003xxx/CVE-2019-1003033.json
index ee59595de01..4458c8a8eba 100644
--- a/2019/1003xxx/CVE-2019-1003033.json
+++ b/2019/1003xxx/CVE-2019-1003033.json
@@ -1 +1 @@
-{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1338"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.1 and earlier"}]},"product_name": "Jenkins Groovy Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.385701","ID": "CVE-2019-1003033","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1338"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.1 and earlier"}]},"product_name": "Jenkins Groovy Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.385701","ID": "CVE-2019-1003033","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003034.json b/2019/1003xxx/CVE-2019-1003034.json
index 137c5f27b14..57132f1de06 100644
--- a/2019/1003xxx/CVE-2019-1003034.json
+++ b/2019/1003xxx/CVE-2019-1003034.json
@@ -1 +1 @@
-{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1342"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.71 and earlier"}]},"product_name": "Jenkins Job DSL Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386102","ID": "CVE-2019-1003034","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1342"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.71 and earlier"}]},"product_name": "Jenkins Job DSL Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386102","ID": "CVE-2019-1003034","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003035.json b/2019/1003xxx/CVE-2019-1003035.json
index a87a3898c48..3fbe1d8fd05 100644
--- a/2019/1003xxx/CVE-2019-1003035.json
+++ b/2019/1003xxx/CVE-2019-1003035.json
@@ -1 +1 @@
-{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1330"}]},"description": {"description_data": [{"lang": "eng","value": "An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java,  src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386559","ID": "CVE-2019-1003035","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-201"}]}]}}
\ No newline at end of file
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1330"}]},"description": {"description_data": [{"lang": "eng","value": "An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java,  src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386559","ID": "CVE-2019-1003035","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-201"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003036.json b/2019/1003xxx/CVE-2019-1003036.json
index 308b010483c..596a5d50e75 100644
--- a/2019/1003xxx/CVE-2019-1003036.json
+++ b/2019/1003xxx/CVE-2019-1003036.json
@@ -1 +1 @@
-{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1331"}]},"description": {"description_data": [{"lang": "eng","value": "A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386888","ID": "CVE-2019-1003036","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-352"}]}]}}
\ No newline at end of file
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1331"}]},"description": {"description_data": [{"lang": "eng","value": "A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386888","ID": "CVE-2019-1003036","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-352"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003037.json b/2019/1003xxx/CVE-2019-1003037.json
index 20a4186585e..f40d4339e1e 100644
--- a/2019/1003xxx/CVE-2019-1003037.json
+++ b/2019/1003xxx/CVE-2019-1003037.json
@@ -1 +1 @@
-{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1332"}]},"description": {"description_data": [{"lang": "eng","value": "An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.387239","ID": "CVE-2019-1003037","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-201"}]}]}}
\ No newline at end of file
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1332"}]},"description": {"description_data": [{"lang": "eng","value": "An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.387239","ID": "CVE-2019-1003037","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-201"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003038.json b/2019/1003xxx/CVE-2019-1003038.json
index 07f4d40f87f..d4861af2a44 100644
--- a/2019/1003xxx/CVE-2019-1003038.json
+++ b/2019/1003xxx/CVE-2019-1003038.json
@@ -1 +1 @@
-{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-958"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/Repository.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/UserPwd.java that allows an attacker with local file system access or control of a Jenkins administrator\u2019s web browser (e.g. malicious extension) to retrieve the password stored in the plugin configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.2.4 and earlier"}]},"product_name": "Jenkins Repository Connector Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.387698","ID": "CVE-2019-1003038","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}}
\ No newline at end of file
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-958"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/Repository.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/UserPwd.java that allows an attacker with local file system access or control of a Jenkins administrator\u2019s web browser (e.g. malicious extension) to retrieve the password stored in the plugin configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.2.4 and earlier"}]},"product_name": "Jenkins Repository Connector Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.387698","ID": "CVE-2019-1003038","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}}
\ No newline at end of file
diff --git a/2019/1003xxx/CVE-2019-1003039.json b/2019/1003xxx/CVE-2019-1003039.json
index 2e7166656f1..7963cf0e10e 100644
--- a/2019/1003xxx/CVE-2019-1003039.json
+++ b/2019/1003xxx/CVE-2019-1003039.json
@@ -1 +1 @@
-{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1087"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in JenkinsAppDynamics Dashboard Plugin 1.0.14 and earlier in src/main/java/nl/codecentric/jenkins/appd/AppDynamicsResultsPublisher.java that allows attackers without permission to obtain passwords configured in jobs to obtain them."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.0.14 and earlier"}]},"product_name": "JenkinsAppDynamics Dashboard Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.388179","ID": "CVE-2019-1003039","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}}
\ No newline at end of file
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1087"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in JenkinsAppDynamics Dashboard Plugin 1.0.14 and earlier in src/main/java/nl/codecentric/jenkins/appd/AppDynamicsResultsPublisher.java that allows attackers without permission to obtain passwords configured in jobs to obtain them."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.0.14 and earlier"}]},"product_name": "JenkinsAppDynamics Dashboard Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.388179","ID": "CVE-2019-1003039","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}}
\ No newline at end of file