admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

updated descriptions with versions

Browse Source
This commit is contained in:
Kurt Seifried 2018-01-25 16:47:40 -07:00
parent d2ed807e1c
commit 0ca5c9a4c8
No known key found for this signature in database
GPG Key ID: F15CADC4A00F8174
9 changed files with 549 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
2017/1000xxx/CVE-2017-1000390.json
View File

@ -1 +1,61 @@
{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2017-10-23/"}]},"description": {"description_data": [{"lang": "eng","value": "Jenkins Multijob plugin did not check permissions in the Resume Build action, allowing anyone with Job/Read permission to resume the build."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.25 and earlier"}]},"product_name": "Jenkins Multijob Plugin"}]},"vendor_name": "Jenkins Multijob Plugin"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-11-17","ID": "CVE-2017-1000390","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Incorrect Access Control"}]}]}}
{
"data_version": "4.0",
"references": {
"reference_data": [
{
"url": "https://jenkins.io/security/advisory/2017-10-23/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Multijob plugin version 1.25 and earlier did not check permissions in the Resume Build action, allowing anyone with Job/Read permission to resume the build."
}
]
},
"data_type": "CVE",
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"version": {
"version_data": [
{
"version_value": "1.25 and earlier"
}
]
},
"product_name": "Jenkins Multijob Plugin"
}
]
},
"vendor_name": "Jenkins Multijob Plugin"
}
]
}
},
"CVE_data_meta": {
"DATE_ASSIGNED": "2017-11-17",
"ID": "CVE-2017-1000390",
"ASSIGNER": "kurt@seifried.org",
"REQUESTER": "ml@beckweb.net"
},
"data_format": "MITRE",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control"
}
]
}
]
}
}

62
2017/1000xxx/CVE-2017-1000391.json
View File

@ -1 +1,61 @@
{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2017-11-08/"}]},"description": {"description_data": [{"lang": "eng","value": "Jenkins stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.88 and earlier; 2.73.2 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-11-17","ID": "CVE-2017-1000391","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Other"}]}]}}
{
"data_version": "4.0",
"references": {
"reference_data": [
{
"url": "https://jenkins.io/security/advisory/2017-11-08/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files."
}
]
},
"data_type": "CVE",
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"version": {
"version_data": [
{
"version_value": "2.88 and earlier; 2.73.2 and earlier"
}
]
},
"product_name": "Jenkins"
}
]
},
"vendor_name": "Jenkins"
}
]
}
},
"CVE_data_meta": {
"DATE_ASSIGNED": "2017-11-17",
"ID": "CVE-2017-1000391",
"ASSIGNER": "kurt@seifried.org",
"REQUESTER": "ml@beckweb.net"
},
"data_format": "MITRE",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
}
}

62
2017/1000xxx/CVE-2017-1000392.json
View File

@ -1 +1,61 @@
{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2017-11-08/"}]},"description": {"description_data": [{"lang": "eng","value": "Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.88 and earlier; 2.73.2 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-11-17","ID": "CVE-2017-1000392","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Cross Site Scripting"}]}]}}
{
"data_version": "4.0",
"references": {
"reference_data": [
{
"url": "https://jenkins.io/security/advisory/2017-11-08/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters."
}
]
},
"data_type": "CVE",
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"version": {
"version_data": [
{
"version_value": "2.88 and earlier; 2.73.2 and earlier"
}
]
},
"product_name": "Jenkins"
}
]
},
"vendor_name": "Jenkins"
}
]
}
},
"CVE_data_meta": {
"DATE_ASSIGNED": "2017-11-17",
"ID": "CVE-2017-1000392",
"ASSIGNER": "kurt@seifried.org",
"REQUESTER": "ml@beckweb.net"
},
"data_format": "MITRE",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting"
}
]
}
]
}
}

62
2017/1000xxx/CVE-2017-1000393.json
View File

@ -1 +1,61 @@
{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2017-10-11/"}]},"description": {"description_data": [{"lang": "eng","value": "Users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.73.1 and earlier, 2.83 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-11-17","ID": "CVE-2017-1000393","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Incorrect Access Control"}]}]}}
{
"data_version": "4.0",
"references": {
"reference_data": [
{
"url": "https://jenkins.io/security/advisory/2017-10-11/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators."
}
]
},
"data_type": "CVE",
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"version": {
"version_data": [
{
"version_value": "2.73.1 and earlier, 2.83 and earlier"
}
]
},
"product_name": "Jenkins"
}
]
},
"vendor_name": "Jenkins"
}
]
}
},
"CVE_data_meta": {
"DATE_ASSIGNED": "2017-11-17",
"ID": "CVE-2017-1000393",
"ASSIGNER": "kurt@seifried.org",
"REQUESTER": "ml@beckweb.net"
},
"data_format": "MITRE",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control"
}
]
}
]
}
}

62
2017/1000xxx/CVE-2017-1000394.json
View File

@ -1 +1,61 @@
{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2017-10-11/"}]},"description": {"description_data": [{"lang": "eng","value": "Jenkins bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.73.1 and earlier, 2.83 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-11-17","ID": "CVE-2017-1000394","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Denial of Service"}]}]}}
{
"data_version": "4.0",
"references": {
"reference_data": [
{
"url": "https://jenkins.io/security/advisory/2017-10-11/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins."
}
]
},
"data_type": "CVE",
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"version": {
"version_data": [
{
"version_value": "2.73.1 and earlier, 2.83 and earlier"
}
]
},
"product_name": "Jenkins"
}
]
},
"vendor_name": "Jenkins"
}
]
}
},
"CVE_data_meta": {
"DATE_ASSIGNED": "2017-11-17",
"ID": "CVE-2017-1000394",
"ASSIGNER": "kurt@seifried.org",
"REQUESTER": "ml@beckweb.net"
},
"data_format": "MITRE",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
}
}

62
2017/1000xxx/CVE-2017-1000395.json
View File

@ -1 +1,61 @@
{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2017-10-11/"}]},"description": {"description_data": [{"lang": "eng","value": "Information about Jenkins user accounts is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.73.1 and earlier, 2.83 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-11-17","ID": "CVE-2017-1000395","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Incorrect Access Control"}]}]}}
{
"data_version": "4.0",
"references": {
"reference_data": [
{
"url": "https://jenkins.io/security/advisory/2017-10-11/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator."
}
]
},
"data_type": "CVE",
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"version": {
"version_data": [
{
"version_value": "2.73.1 and earlier, 2.83 and earlier"
}
]
},
"product_name": "Jenkins"
}
]
},
"vendor_name": "Jenkins"
}
]
}
},
"CVE_data_meta": {
"DATE_ASSIGNED": "2017-11-17",
"ID": "CVE-2017-1000395",
"ASSIGNER": "kurt@seifried.org",
"REQUESTER": "ml@beckweb.net"
},
"data_format": "MITRE",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control"
}
]
}
]
}
}

62
2017/1000xxx/CVE-2017-1000396.json
View File

@ -1 +1,61 @@
{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2017-10-11/"}]},"description": {"description_data": [{"lang": "eng","value": "Jenkins bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.73.1 and earlier, 2.83 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-11-17","ID": "CVE-2017-1000396","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Missing SSL Certificate Validation"}]}]}}
{
"data_version": "4.0",
"references": {
"reference_data": [
{
"url": "https://jenkins.io/security/advisory/2017-10-11/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins."
}
]
},
"data_type": "CVE",
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"version": {
"version_data": [
{
"version_value": "2.73.1 and earlier, 2.83 and earlier"
}
]
},
"product_name": "Jenkins"
}
]
},
"vendor_name": "Jenkins"
}
]
}
},
"CVE_data_meta": {
"DATE_ASSIGNED": "2017-11-17",
"ID": "CVE-2017-1000396",
"ASSIGNER": "kurt@seifried.org",
"REQUESTER": "ml@beckweb.net"
},
"data_format": "MITRE",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing SSL Certificate Validation"
}
]
}
]
}
}

62
2017/1000xxx/CVE-2017-1000398.json
View File

@ -1 +1,61 @@
{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2017-10-11/"}]},"description": {"description_data": [{"lang": "eng","value": "The remote API at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.73.1 and earlier, 2.83 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-11-17","ID": "CVE-2017-1000398","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Incorrect Access Control"}]}]}}
{
"data_version": "4.0",
"references": {
"reference_data": [
{
"url": "https://jenkins.io/security/advisory/2017-10-11/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks."
}
]
},
"data_type": "CVE",
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"version": {
"version_data": [
{
"version_value": "2.73.1 and earlier, 2.83 and earlier"
}
]
},
"product_name": "Jenkins"
}
]
},
"vendor_name": "Jenkins"
}
]
}
},
"CVE_data_meta": {
"DATE_ASSIGNED": "2017-11-17",
"ID": "CVE-2017-1000398",
"ASSIGNER": "kurt@seifried.org",
"REQUESTER": "ml@beckweb.net"
},
"data_format": "MITRE",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control"
}
]
}
]
}
}

62
2017/1000xxx/CVE-2017-1000399.json
View File

@ -1 +1,61 @@
{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2017-10-11/"}]},"description": {"description_data": [{"lang": "eng","value": "The remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.73.1 and earlier, 2.83 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-11-17","ID": "CVE-2017-1000399","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Incorrect Access Control"}]}]}}
{
"data_version": "4.0",
"references": {
"reference_data": [
{
"url": "https://jenkins.io/security/advisory/2017-10-11/"
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to."
}
]
},
"data_type": "CVE",
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"version": {
"version_data": [
{
"version_value": "2.73.1 and earlier, 2.83 and earlier"
}
]
},
"product_name": "Jenkins"
}
]
},
"vendor_name": "Jenkins"
}
]
}
},
"CVE_data_meta": {
"DATE_ASSIGNED": "2017-11-17",
"ID": "CVE-2017-1000399",
"ASSIGNER": "kurt@seifried.org",
"REQUESTER": "ml@beckweb.net"
},
"data_format": "MITRE",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Access Control"
}
]
}
]
}
}