diff --git a/2022/43xxx/CVE-2022-43401.json b/2022/43xxx/CVE-2022-43401.json index 2fad62ddedb..f8ec0008454 100644 --- a/2022/43xxx/CVE-2022-43401.json +++ b/2022/43xxx/CVE-2022-43401.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43401", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Script Security Plugin", + "version": { + "version_data": [ + { + "version_value": "1183.v774b_0b_0a_a_451", + "version_affected": "<=" + }, + { + "version_value": "1175.1177.vda_175b_77d144", + "version_affected": "!" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43402.json b/2022/43xxx/CVE-2022-43402.json index f1b614fee74..922da0de790 100644 --- a/2022/43xxx/CVE-2022-43402.json +++ b/2022/43xxx/CVE-2022-43402.json @@ -1,17 +1,69 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43402", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Pipeline: Groovy Plugin", + "version": { + "version_data": [ + { + "version_value": "2802.v5ea_628154b_c2", + "version_affected": "<=" + }, + { + "version_value": "2759.2761.vd6e8d2a_15980", + "version_affected": "!" + }, + { + "version_value": "2746.2748.v365128b_c26d7", + "version_affected": "!" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43403.json b/2022/43xxx/CVE-2022-43403.json index 7c463306575..993c71a8f90 100644 --- a/2022/43xxx/CVE-2022-43403.json +++ b/2022/43xxx/CVE-2022-43403.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43403", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Script Security Plugin", + "version": { + "version_data": [ + { + "version_value": "1183.v774b_0b_0a_a_451", + "version_affected": "<=" + }, + { + "version_value": "1175.1177.vda_175b_77d144", + "version_affected": "!" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43404.json b/2022/43xxx/CVE-2022-43404.json index 137a541c8f4..491cdce5a81 100644 --- a/2022/43xxx/CVE-2022-43404.json +++ b/2022/43xxx/CVE-2022-43404.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43404", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Script Security Plugin", + "version": { + "version_data": [ + { + "version_value": "1183.v774b_0b_0a_a_451", + "version_affected": "<=" + }, + { + "version_value": "1175.1177.vda_175b_77d144", + "version_affected": "!" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43405.json b/2022/43xxx/CVE-2022-43405.json index 1509c93d84a..749f3dae8e6 100644 --- a/2022/43xxx/CVE-2022-43405.json +++ b/2022/43xxx/CVE-2022-43405.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43405", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Pipeline: Groovy Libraries Plugin", + "version": { + "version_data": [ + { + "version_value": "612.v84da_9c54906d", + "version_affected": "<=" + }, + { + "version_value": "593.595.vfc6485d13dcd", + "version_affected": "!" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43406.json b/2022/43xxx/CVE-2022-43406.json index d02fc6a845d..61a8db76f76 100644 --- a/2022/43xxx/CVE-2022-43406.json +++ b/2022/43xxx/CVE-2022-43406.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43406", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Pipeline: Deprecated Groovy Libraries Plugin", + "version": { + "version_data": [ + { + "version_value": "583.vf3b_454e43966", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43407.json b/2022/43xxx/CVE-2022-43407.json index 4f9aa3cdcc8..681ea56a861 100644 --- a/2022/43xxx/CVE-2022-43407.json +++ b/2022/43xxx/CVE-2022-43407.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43407", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Pipeline: Input Step Plugin", + "version": { + "version_data": [ + { + "version_value": "451.vf1a_a_4f405289", + "version_affected": "<=" + }, + { + "version_value": "449.451.v9c3d42f23975", + "version_affected": "!" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-838: Inappropriate Encoding for Output Context" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43408.json b/2022/43xxx/CVE-2022-43408.json index 022fe839870..ab377ce6601 100644 --- a/2022/43xxx/CVE-2022-43408.json +++ b/2022/43xxx/CVE-2022-43408.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43408", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Pipeline: Stage View Plugin", + "version": { + "version_data": [ + { + "version_value": "2.26", + "version_affected": "<=" + }, + { + "version_value": "2.24.2", + "version_affected": "!" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-838: Inappropriate Encoding for Output Context" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43409.json b/2022/43xxx/CVE-2022-43409.json index 2d32ae4ecc6..8eb03ce2f66 100644 --- a/2022/43xxx/CVE-2022-43409.json +++ b/2022/43xxx/CVE-2022-43409.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43409", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Pipeline: Supporting APIs Plugin", + "version": { + "version_data": [ + { + "version_value": "838.va_3a_087b_4055b", + "version_affected": "<=" + }, + { + "version_value": "827.829.v01c0a_3d76c4f", + "version_affected": "!" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43410.json b/2022/43xxx/CVE-2022-43410.json index 2949f5c003c..bff9106103e 100644 --- a/2022/43xxx/CVE-2022-43410.json +++ b/2022/43xxx/CVE-2022-43410.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43410", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Mercurial Plugin", + "version": { + "version_data": [ + { + "version_value": "1251.va_b_121f184902", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43411.json b/2022/43xxx/CVE-2022-43411.json index d5c8b8b7c50..60781ea1b95 100644 --- a/2022/43xxx/CVE-2022-43411.json +++ b/2022/43xxx/CVE-2022-43411.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43411", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins GitLab Plugin", + "version": { + "version_data": [ + { + "version_value": "1.5.35", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-208: Observable Timing Discrepancy" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2877", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2877", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43412.json b/2022/43xxx/CVE-2022-43412.json index cfcd2c8f654..d780eb7a286 100644 --- a/2022/43xxx/CVE-2022-43412.json +++ b/2022/43xxx/CVE-2022-43412.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43412", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Generic Webhook Trigger Plugin", + "version": { + "version_data": [ + { + "version_value": "1.84.1", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-208: Observable Timing Discrepancy" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2874", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2874", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43413.json b/2022/43xxx/CVE-2022-43413.json index 9b77345d171..3f8b335b4ed 100644 --- a/2022/43xxx/CVE-2022-43413.json +++ b/2022/43xxx/CVE-2022-43413.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43413", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Job Import Plugin", + "version": { + "version_data": [ + { + "version_value": "3.5", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2791", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2791", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43414.json b/2022/43xxx/CVE-2022-43414.json index ffbe4226b33..f457c8d3b45 100644 --- a/2022/43xxx/CVE-2022-43414.json +++ b/2022/43xxx/CVE-2022-43414.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43414", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins NUnit Plugin", + "version": { + "version_data": [ + { + "version_value": "0.27", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2551", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2551", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43415.json b/2022/43xxx/CVE-2022-43415.json index eddc63921d8..cb31ff2fae0 100644 --- a/2022/43xxx/CVE-2022-43415.json +++ b/2022/43xxx/CVE-2022-43415.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43415", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins REPO Plugin", + "version": { + "version_data": [ + { + "version_value": "1.15.0", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611: Improper Restriction of XML External Entity Reference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2337", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2337", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43416.json b/2022/43xxx/CVE-2022-43416.json index 175900b0f47..9124b140cbd 100644 --- a/2022/43xxx/CVE-2022-43416.json +++ b/2022/43xxx/CVE-2022-43416.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43416", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Katalon Plugin", + "version": { + "version_data": [ + { + "version_value": "1.0.32", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments, and attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) to invoke arbitrary OS commands." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2844", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2844", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43417.json b/2022/43xxx/CVE-2022-43417.json index dc524b24829..4e23bbb55b0 100644 --- a/2022/43xxx/CVE-2022-43417.json +++ b/2022/43xxx/CVE-2022-43417.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43417", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Katalon Plugin", + "version": { + "version_data": [ + { + "version_value": "1.0.32", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2845%20(1)", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2845%20(1)", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43418.json b/2022/43xxx/CVE-2022-43418.json index bf583d149f8..d86678efec9 100644 --- a/2022/43xxx/CVE-2022-43418.json +++ b/2022/43xxx/CVE-2022-43418.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43418", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Katalon Plugin", + "version": { + "version_data": [ + { + "version_value": "1.0.33", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352: Cross-Site Request Forgery (CSRF)" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2845%20(2)", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2845%20(2)", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43419.json b/2022/43xxx/CVE-2022-43419.json index 49f69cbeb93..6f65360ffa8 100644 --- a/2022/43xxx/CVE-2022-43419.json +++ b/2022/43xxx/CVE-2022-43419.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43419", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Katalon Plugin", + "version": { + "version_data": [ + { + "version_value": "1.0.32", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-256: Plaintext Storage of a Password" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2846", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2846", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43420.json b/2022/43xxx/CVE-2022-43420.json index 84a175348ce..978c460e2b9 100644 --- a/2022/43xxx/CVE-2022-43420.json +++ b/2022/43xxx/CVE-2022-43420.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43420", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Contrast Continuous Application Security Plugin", + "version": { + "version_data": [ + { + "version_value": "3.9", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2836", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2836", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43421.json b/2022/43xxx/CVE-2022-43421.json index 0f2bcdc278a..eb5a4fc4878 100644 --- a/2022/43xxx/CVE-2022-43421.json +++ b/2022/43xxx/CVE-2022-43421.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43421", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Tuleap Git Branch Source Plugin", + "version": { + "version_data": [ + { + "version_value": "3.2.4", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2852", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2852", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43422.json b/2022/43xxx/CVE-2022-43422.json index e761e8da359..dea61720d76 100644 --- a/2022/43xxx/CVE-2022-43422.json +++ b/2022/43xxx/CVE-2022-43422.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43422", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Compuware Topaz Utilities Plugin", + "version": { + "version_data": [ + { + "version_value": "1.0.8", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2620", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2620", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43423.json b/2022/43xxx/CVE-2022-43423.json index 7870a7b41c0..9729d673ed3 100644 --- a/2022/43xxx/CVE-2022-43423.json +++ b/2022/43xxx/CVE-2022-43423.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43423", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin", + "version": { + "version_data": [ + { + "version_value": "2.0.12", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43424.json b/2022/43xxx/CVE-2022-43424.json index d7d6dcefbdf..7b411e46c51 100644 --- a/2022/43xxx/CVE-2022-43424.json +++ b/2022/43xxx/CVE-2022-43424.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43424", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Compuware Xpediter Code Coverage Plugin", + "version": { + "version_data": [ + { + "version_value": "1.0.7", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2627", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2627", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43425.json b/2022/43xxx/CVE-2022-43425.json index 388b9c07377..1ed7a635367 100644 --- a/2022/43xxx/CVE-2022-43425.json +++ b/2022/43xxx/CVE-2022-43425.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43425", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Custom Checkbox Parameter Plugin", + "version": { + "version_data": [ + { + "version_value": "1.4", + "version_affected": "<=" + }, + { + "version_value": "1.4", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2797", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2797", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43426.json b/2022/43xxx/CVE-2022-43426.json index f2a3fd82bac..c4fca528dd1 100644 --- a/2022/43xxx/CVE-2022-43426.json +++ b/2022/43xxx/CVE-2022-43426.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43426", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins S3 Explorer Plugin", + "version": { + "version_data": [ + { + "version_value": "1.0.8", + "version_affected": "<=" + }, + { + "version_value": "1.0.8", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-549: Missing Password Field Masking" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2480", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2480", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43427.json b/2022/43xxx/CVE-2022-43427.json index 71921ca2424..2ea5b78b9ab 100644 --- a/2022/43xxx/CVE-2022-43427.json +++ b/2022/43xxx/CVE-2022-43427.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43427", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Compuware Topaz for Total Test Plugin", + "version": { + "version_data": [ + { + "version_value": "2.4.8", + "version_affected": "<=" + }, + { + "version_value": "2.4.8", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2623", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2623", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43428.json b/2022/43xxx/CVE-2022-43428.json index 6e6cb0c0665..636d2406944 100644 --- a/2022/43xxx/CVE-2022-43428.json +++ b/2022/43xxx/CVE-2022-43428.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43428", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Compuware Topaz for Total Test Plugin", + "version": { + "version_data": [ + { + "version_value": "2.4.8", + "version_affected": "<=" + }, + { + "version_value": "2.4.8", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2624", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2624", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43429.json b/2022/43xxx/CVE-2022-43429.json index c7d4ea9a664..ce09d062db0 100644 --- a/2022/43xxx/CVE-2022-43429.json +++ b/2022/43xxx/CVE-2022-43429.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43429", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Compuware Topaz for Total Test Plugin", + "version": { + "version_data": [ + { + "version_value": "2.4.8", + "version_affected": "<=" + }, + { + "version_value": "2.4.8", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller file system." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2624", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2624", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43430.json b/2022/43xxx/CVE-2022-43430.json index afe05c606ca..20337933ef8 100644 --- a/2022/43xxx/CVE-2022-43430.json +++ b/2022/43xxx/CVE-2022-43430.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43430", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Compuware Topaz for Total Test Plugin", + "version": { + "version_data": [ + { + "version_value": "2.4.8", + "version_affected": "<=" + }, + { + "version_value": "2.4.8", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611: Improper Restriction of XML External Entity Reference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2625", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2625", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43431.json b/2022/43xxx/CVE-2022-43431.json index aa647b97622..ca3d5a127e5 100644 --- a/2022/43xxx/CVE-2022-43431.json +++ b/2022/43xxx/CVE-2022-43431.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43431", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Compuware Strobe Measurement Plugin", + "version": { + "version_data": [ + { + "version_value": "1.0.1", + "version_affected": "<=" + }, + { + "version_value": "1.0.1", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-862: Missing Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2631", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2631", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43432.json b/2022/43xxx/CVE-2022-43432.json index 161c589fef7..b9982b25266 100644 --- a/2022/43xxx/CVE-2022-43432.json +++ b/2022/43xxx/CVE-2022-43432.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43432", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins XFramium Builder Plugin", + "version": { + "version_data": [ + { + "version_value": "1.0.22", + "version_affected": "<=" + }, + { + "version_value": "1.0.22", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2863", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2863", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43433.json b/2022/43xxx/CVE-2022-43433.json index ffc18b67ff9..e6c7af7c2fa 100644 --- a/2022/43xxx/CVE-2022-43433.json +++ b/2022/43xxx/CVE-2022-43433.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43433", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins ScreenRecorder Plugin", + "version": { + "version_data": [ + { + "version_value": "0.7", + "version_affected": "<=" + }, + { + "version_value": "0.7", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2864", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2864", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43434.json b/2022/43xxx/CVE-2022-43434.json index 7ce264f6050..ed3aa5af4c7 100644 --- a/2022/43xxx/CVE-2022-43434.json +++ b/2022/43xxx/CVE-2022-43434.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43434", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins NeuVector Vulnerability Scanner Plugin", + "version": { + "version_data": [ + { + "version_value": "1.20", + "version_affected": "<=" + }, + { + "version_value": "1.20", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865", + "refsource": "CONFIRM" } ] } diff --git a/2022/43xxx/CVE-2022-43435.json b/2022/43xxx/CVE-2022-43435.json index 850292edc3f..7d71bad43c8 100644 --- a/2022/43xxx/CVE-2022-43435.json +++ b/2022/43xxx/CVE-2022-43435.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-43435", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins 360 FireLine Plugin", + "version": { + "version_data": [ + { + "version_value": "1.7.2", + "version_affected": "<=" + }, + { + "version_value": "1.7.2", + "version_affected": "?>" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2866", + "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2866", + "refsource": "CONFIRM" } ] }