From 34effcf0f1133a297145a3fa22eaf3fe034aef73 Mon Sep 17 00:00:00 2001 From: Daniel Beck Date: Wed, 27 Mar 2019 23:53:32 +0100 Subject: [PATCH] Jenkins 2019-03-25 security advisory --- 2019/1003xxx/CVE-2019-1003040.json | 59 ++++++++++++++++++++++++++++++ 2019/1003xxx/CVE-2019-1003041.json | 59 ++++++++++++++++++++++++++++++ 2019/1003xxx/CVE-2019-1003042.json | 59 ++++++++++++++++++++++++++++++ 2019/1003xxx/CVE-2019-1003043.json | 59 ++++++++++++++++++++++++++++++ 2019/1003xxx/CVE-2019-1003044.json | 59 ++++++++++++++++++++++++++++++ 2019/1003xxx/CVE-2019-1003045.json | 59 ++++++++++++++++++++++++++++++ 2019/1003xxx/CVE-2019-1003046.json | 59 ++++++++++++++++++++++++++++++ 2019/1003xxx/CVE-2019-1003047.json | 59 ++++++++++++++++++++++++++++++ 2019/1003xxx/CVE-2019-1003048.json | 59 ++++++++++++++++++++++++++++++ 9 files changed, 531 insertions(+) create mode 100644 2019/1003xxx/CVE-2019-1003040.json create mode 100644 2019/1003xxx/CVE-2019-1003041.json create mode 100644 2019/1003xxx/CVE-2019-1003042.json create mode 100644 2019/1003xxx/CVE-2019-1003043.json create mode 100644 2019/1003xxx/CVE-2019-1003044.json create mode 100644 2019/1003xxx/CVE-2019-1003045.json create mode 100644 2019/1003xxx/CVE-2019-1003046.json create mode 100644 2019/1003xxx/CVE-2019-1003047.json create mode 100644 2019/1003xxx/CVE-2019-1003048.json diff --git a/2019/1003xxx/CVE-2019-1003040.json b/2019/1003xxx/CVE-2019-1003040.json new file mode 100644 index 00000000000..ffb95dc58be --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003040.json @@ -0,0 +1,59 @@ +{ + "CVE_data_meta": { + "ID": "CVE-2019-1003040", + "ASSIGNER": "jenkinsci-cert@googlegroups.com" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Script Security Plugin", + "version": { + "version_data": [ + { + "version_value": "1.55 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-265" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353" + } + ] + } +} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003041.json b/2019/1003xxx/CVE-2019-1003041.json new file mode 100644 index 00000000000..5e4e1e25c3d --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003041.json @@ -0,0 +1,59 @@ +{ + "CVE_data_meta": { + "ID": "CVE-2019-1003041", + "ASSIGNER": "jenkinsci-cert@googlegroups.com" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Pipeline: Groovy Plugin", + "version": { + "version_data": [ + { + "version_value": "2.64 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-265" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353" + } + ] + } +} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003042.json b/2019/1003xxx/CVE-2019-1003042.json new file mode 100644 index 00000000000..04357fdc04c --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003042.json @@ -0,0 +1,59 @@ +{ + "CVE_data_meta": { + "ID": "CVE-2019-1003042", + "ASSIGNER": "jenkinsci-cert@googlegroups.com" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Lockable Resources Plugin", + "version": { + "version_data": [ + { + "version_value": "2.4 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1361" + } + ] + } +} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003043.json b/2019/1003xxx/CVE-2019-1003043.json new file mode 100644 index 00000000000..f69e04b85e3 --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003043.json @@ -0,0 +1,59 @@ +{ + "CVE_data_meta": { + "ID": "CVE-2019-1003043", + "ASSIGNER": "jenkinsci-cert@googlegroups.com" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Slack Notification Plugin", + "version": { + "version_data": [ + { + "version_value": "2.19 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A missing permission check in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-285" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-976" + } + ] + } +} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003044.json b/2019/1003xxx/CVE-2019-1003044.json new file mode 100644 index 00000000000..cf355c8aa94 --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003044.json @@ -0,0 +1,59 @@ +{ + "CVE_data_meta": { + "ID": "CVE-2019-1003044", + "ASSIGNER": "jenkinsci-cert@googlegroups.com" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Slack Notification Plugin", + "version": { + "version_data": [ + { + "version_value": "2.19 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A cross-site request forgery vulnerability in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-976" + } + ] + } +} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003045.json b/2019/1003xxx/CVE-2019-1003045.json new file mode 100644 index 00000000000..038b7e1da62 --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003045.json @@ -0,0 +1,59 @@ +{ + "CVE_data_meta": { + "ID": "CVE-2019-1003045", + "ASSIGNER": "jenkinsci-cert@googlegroups.com" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins ECS Publisher Plugin", + "version": { + "version_data": [ + { + "version_value": "1.0.0 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability in Jenkins ECS Publisher Plugin 1.0.0 and earlier allows attackers with Item/Extended Read permission, or local file system access to the Jenkins home directory to obtain the API token configured in this plugin's configuration." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-256" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-846" + } + ] + } +} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003046.json b/2019/1003xxx/CVE-2019-1003046.json new file mode 100644 index 00000000000..1ec01044957 --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003046.json @@ -0,0 +1,59 @@ +{ + "CVE_data_meta": { + "ID": "CVE-2019-1003046", + "ASSIGNER": "jenkinsci-cert@googlegroups.com" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Fortify on Demand Uploader Plugin", + "version": { + "version_data": [ + { + "version_value": "3.0.10 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A cross-site request forgery vulnerability in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers to initiate a connection to an attacker-specified server." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-285" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-992" + } + ] + } +} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003047.json b/2019/1003xxx/CVE-2019-1003047.json new file mode 100644 index 00000000000..6bd924cabe1 --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003047.json @@ -0,0 +1,59 @@ +{ + "CVE_data_meta": { + "ID": "CVE-2019-1003047", + "ASSIGNER": "jenkinsci-cert@googlegroups.com" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Fortify on Demand Uploader Plugin", + "version": { + "version_data": [ + { + "version_value": "3.0.10 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A missing permission check in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-992" + } + ] + } +} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003048.json b/2019/1003xxx/CVE-2019-1003048.json new file mode 100644 index 00000000000..f5934d378b4 --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003048.json @@ -0,0 +1,59 @@ +{ + "CVE_data_meta": { + "ID": "CVE-2019-1003048", + "ASSIGNER": "jenkinsci-cert@googlegroups.com" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins PRQA Plugin", + "version": { + "version_data": [ + { + "version_value": "3.1.0 and earlier" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A vulnerability in Jenkins PRQA Plugin 3.1.0 and earlier allows attackers with local file system access to the Jenkins home directory to obtain the unencrypted password from the plugin configuration." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-256" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1089" + } + ] + } +} \ No newline at end of file