diff --git a/2019/1003xxx/CVE-2019-1003005.json b/2019/1003xxx/CVE-2019-1003005.json index 620491870c8..a2cbc759385 100644 --- a/2019/1003xxx/CVE-2019-1003005.json +++ b/2019/1003xxx/CVE-2019-1003005.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1292"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.50 and earlier"}]},"product_name": "Jenkins Script Security Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.172123","ID": "CVE-2019-1003005","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.172123", + "ID" : "CVE-2019-1003005", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Script Security Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "1.50 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-693" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1292", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1292" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003006.json b/2019/1003xxx/CVE-2019-1003006.json index 21cb50d134f..32c192933a7 100644 --- a/2019/1003xxx/CVE-2019-1003006.json +++ b/2019/1003xxx/CVE-2019-1003006.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1293"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.0 and earlier"}]},"product_name": "Jenkins Groovy Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.172968","ID": "CVE-2019-1003006","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.172968", + "ID" : "CVE-2019-1003006", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Groovy Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.0 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-693" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1293", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1293" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003007.json b/2019/1003xxx/CVE-2019-1003007.json index 2d4dec104b3..5e29534f53a 100644 --- a/2019/1003xxx/CVE-2019-1003007.json +++ b/2019/1003xxx/CVE-2019-1003007.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20(1)"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "5.0.0 and earlier"}]},"product_name": "Jenkins Warnings Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.173482","ID": "CVE-2019-1003007","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-352"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.173482", + "ID" : "CVE-2019-1003007", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Warnings Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "5.0.0 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-352" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20(1)", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20(1)" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003008.json b/2019/1003xxx/CVE-2019-1003008.json index 44be4b09da7..d6b5dace893 100644 --- a/2019/1003xxx/CVE-2019-1003008.json +++ b/2019/1003xxx/CVE-2019-1003008.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20(2)"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site request forgery vulnerability exists in Jenkins Warnings Next Generation Plugin 2.1.1 and earlier in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.1.1 and earlier"}]},"product_name": "Jenkins Warnings Next Generation Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.173949","ID": "CVE-2019-1003008","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-352"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.173949", + "ID" : "CVE-2019-1003008", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Warnings Next Generation Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.1.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site request forgery vulnerability exists in Jenkins Warnings Next Generation Plugin 2.1.1 and earlier in src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-352" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20(2)", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1295%20(2)" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003009.json b/2019/1003xxx/CVE-2019-1003009.json index cbdf77a865c..fdc3658abd6 100644 --- a/2019/1003xxx/CVE-2019-1003009.json +++ b/2019/1003xxx/CVE-2019-1003009.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-859"}]},"description": {"description_data": [{"lang": "eng","value": "An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java, src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java that allows attackers to impersonate the Active Directory server Jenkins connects to for authentication if Jenkins is configured to use StartTLS."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.10 and earlier"}]},"product_name": "Jenkins Active Directory Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.174428","ID": "CVE-2019-1003009","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-295"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.174428", + "ID" : "CVE-2019-1003009", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Active Directory Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.10 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java, src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java that allows attackers to impersonate the Active Directory server Jenkins connects to for authentication if Jenkins is configured to use StartTLS." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-295" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-859", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-859" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003010.json b/2019/1003xxx/CVE-2019-1003010.json index ca88eadcc19..05f5deac0f6 100644 --- a/2019/1003xxx/CVE-2019-1003010.json +++ b/2019/1003xxx/CVE-2019-1003010.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "3.9.1 and earlier"}]},"product_name": "Jenkins Git Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.174822","ID": "CVE-2019-1003010","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-352"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.174822", + "ID" : "CVE-2019-1003010", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Git Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "3.9.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-352" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003011.json b/2019/1003xxx/CVE-2019-1003011.json index 846438fc678..d0be8aa10f8 100644 --- a/2019/1003xxx/CVE-2019-1003011.json +++ b/2019/1003xxx/CVE-2019-1003011.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102"}]},"description": {"description_data": [{"lang": "eng","value": "An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.5 and earlier"}]},"product_name": "Jenkins Token Macro Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.175229","ID": "CVE-2019-1003011","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-200, CWE-674"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.175229", + "ID" : "CVE-2019-1003011", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Token Macro Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.5 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-200, CWE-674" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003012.json b/2019/1003xxx/CVE-2019-1003012.json index 7ad55b4bd4d..275308d19d1 100644 --- a/2019/1003xxx/CVE-2019-1003012.json +++ b/2019/1003xxx/CVE-2019-1003012.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1201"}]},"description": {"description_data": [{"lang": "eng","value": "A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.10.1 and earlier"}]},"product_name": "Jenkins Blue Ocean Plugins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.175680","ID": "CVE-2019-1003012","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-352"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.175680", + "ID" : "CVE-2019-1003012", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Blue Ocean Plugins", + "version" : { + "version_data" : [ + { + "version_value" : "1.10.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-352" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1201", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1201" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003013.json b/2019/1003xxx/CVE-2019-1003013.json index 1eb6178498e..7b7c1f2f40a 100644 --- a/2019/1003xxx/CVE-2019-1003013.json +++ b/2019/1003xxx/CVE-2019-1003013.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1204"}]},"description": {"description_data": [{"lang": "eng","value": "An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.10.1 and earlier"}]},"product_name": "Jenkins Blue Ocean Plugins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.176126","ID": "CVE-2019-1003013","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-79"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.176126", + "ID" : "CVE-2019-1003013", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Blue Ocean Plugins", + "version" : { + "version_data" : [ + { + "version_value" : "1.10.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1204", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1204" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003014.json b/2019/1003xxx/CVE-2019-1003014.json index 6c69917039b..6627c23e84e 100644 --- a/2019/1003xxx/CVE-2019-1003014.json +++ b/2019/1003xxx/CVE-2019-1003014.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1253"}]},"description": {"description_data": [{"lang": "eng","value": "An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "3.4.1 and earlier"}]},"product_name": "Jenkins Config File Provider Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.176566","ID": "CVE-2019-1003014","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-79"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.176566", + "ID" : "CVE-2019-1003014", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Config File Provider Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "3.4.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1253", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1253" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003015.json b/2019/1003xxx/CVE-2019-1003015.json index 4ecd45ab46d..67d355dd6d7 100644 --- a/2019/1003xxx/CVE-2019-1003015.json +++ b/2019/1003xxx/CVE-2019-1003015.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(1)"}]},"description": {"description_data": [{"lang": "eng","value": "An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.1 and earlier"}]},"product_name": "Jenkins Job Import Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.176985","ID": "CVE-2019-1003015","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-611"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.176985", + "ID" : "CVE-2019-1003015", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Job Import Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-611" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(1)", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(1)" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003016.json b/2019/1003xxx/CVE-2019-1003016.json index d3268f1d98c..68e1c84419f 100644 --- a/2019/1003xxx/CVE-2019-1003016.json +++ b/2019/1003xxx/CVE-2019-1003016.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(2)"}]},"description": {"description_data": [{"lang": "eng","value": "An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkins/ci/plugins/jobimport/JobImportGlobalConfig.java, src/main/java/org/jenkins/ci/plugins/jobimport/model/JenkinsSite.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.1 and earlier"}]},"product_name": "Jenkins Job Import Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.177456","ID": "CVE-2019-1003016","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.177456", + "ID" : "CVE-2019-1003016", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Job Import Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkins/ci/plugins/jobimport/JobImportGlobalConfig.java, src/main/java/org/jenkins/ci/plugins/jobimport/model/JenkinsSite.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-285" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(2)", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(2)" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003017.json b/2019/1003xxx/CVE-2019-1003017.json index 15378df96fb..d8c04ee6bcd 100644 --- a/2019/1003xxx/CVE-2019-1003017.json +++ b/2019/1003xxx/CVE-2019-1003017.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1302"}]},"description": {"description_data": [{"lang": "eng","value": "A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "3.0 and earlier"}]},"product_name": "Jenkins Job Import Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.178298","ID": "CVE-2019-1003017","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-352"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.178298", + "ID" : "CVE-2019-1003017", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Job Import Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "3.0 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-352" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1302", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1302" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003018.json b/2019/1003xxx/CVE-2019-1003018.json index 993c72dcc9e..0d1f8e0a2e2 100644 --- a/2019/1003xxx/CVE-2019-1003018.json +++ b/2019/1003xxx/CVE-2019-1003018.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-602"}]},"description": {"description_data": [{"lang": "eng","value": "An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator\u2019s web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.29 and earlier"}]},"product_name": "Jenkins GitHub Authentication Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.178806","ID": "CVE-2019-1003018","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-549"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.178806", + "ID" : "CVE-2019-1003018", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins GitHub Authentication Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "0.29 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-549" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-602", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-602" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003019.json b/2019/1003xxx/CVE-2019-1003019.json index cc63b440a7a..a546a012ef2 100644 --- a/2019/1003xxx/CVE-2019-1003019.json +++ b/2019/1003xxx/CVE-2019-1003019.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-797"}]},"description": {"description_data": [{"lang": "eng","value": "An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.29 and earlier"}]},"product_name": "Jenkins GitHub Authentication Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.179227","ID": "CVE-2019-1003019","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-384"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.179227", + "ID" : "CVE-2019-1003019", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins GitHub Authentication Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "0.29 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-384" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-797", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-797" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003020.json b/2019/1003xxx/CVE-2019-1003020.json index 1b2b520baf8..188ec09e99b 100644 --- a/2019/1003xxx/CVE-2019-1003020.json +++ b/2019/1003xxx/CVE-2019-1003020.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-818"}]},"description": {"description_data": [{"lang": "eng","value": "A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.5.10 and earlier"}]},"product_name": "Jenkins Kanboard Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.179697","ID": "CVE-2019-1003020","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-352"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.179697", + "ID" : "CVE-2019-1003020", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Kanboard Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "1.5.10 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-352" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-818", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-818" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003021.json b/2019/1003xxx/CVE-2019-1003021.json index 68191ffa93e..3a54e186445 100644 --- a/2019/1003xxx/CVE-2019-1003021.json +++ b/2019/1003xxx/CVE-2019-1003021.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-886"}]},"description": {"description_data": [{"lang": "eng","value": "An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator\u2019s web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.4 and earlier"}]},"product_name": "Jenkins OpenId Connect Authentication Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.180484","ID": "CVE-2019-1003021","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-549"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.180484", + "ID" : "CVE-2019-1003021", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins OpenId Connect Authentication Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "1.4 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-549" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-886", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-886" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003022.json b/2019/1003xxx/CVE-2019-1003022.json index 0b1a0796417..1afbb90ffbc 100644 --- a/2019/1003xxx/CVE-2019-1003022.json +++ b/2019/1003xxx/CVE-2019-1003022.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1153"}]},"description": {"description_data": [{"lang": "eng","value": "A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.74.0 and earlier"}]},"product_name": "Jenkins Monitoring Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.181409","ID": "CVE-2019-1003022","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-352"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.181409", + "ID" : "CVE-2019-1003022", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Monitoring Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "1.74.0 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-352" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1153", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1153" + } + ] + } +} diff --git a/2019/1003xxx/CVE-2019-1003023.json b/2019/1003xxx/CVE-2019-1003023.json index 867d12349d0..de4fe491ec2 100644 --- a/2019/1003xxx/CVE-2019-1003023.json +++ b/2019/1003xxx/CVE-2019-1003023.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1271"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.0.1 and earlier"}]},"product_name": "Jenkins Warnings Next Generation Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-06T02:59:03.182072","ID": "CVE-2019-1003023","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-79"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2019-02-06T02:59:03.182072", + "ID" : "CVE-2019-1003023", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Warnings Next Generation Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "1.0.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourceDetail.java, src/main/java/io/jenkins/plugins/analysis/core/model/SourcePrinter.java, src/main/java/io/jenkins/plugins/analysis/core/util/Sanitizer.java, src/main/java/io/jenkins/plugins/analysis/warnings/DuplicateCodeScanner.java that allows attackers with the ability to control warnings parser input to have Jenkins render arbitrary HTML." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1271", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1271" + } + ] + } +}