From d89b6cc65b90ec26fe421e54501d70868d86d522 Mon Sep 17 00:00:00 2001 From: Kurt Seifried Date: Tue, 31 Jul 2018 20:05:50 -0600 Subject: [PATCH] The other Jenkins CVEs --- 2018/1999xxx/CVE-2018-1999036.json | 1 + 2018/1999xxx/CVE-2018-1999037.json | 1 + 2018/1999xxx/CVE-2018-1999038.json | 1 + 2018/1999xxx/CVE-2018-1999039.json | 1 + 2018/1999xxx/CVE-2018-1999040.json | 1 + 2018/1999xxx/CVE-2018-1999041.json | 1 + 6 files changed, 6 insertions(+) create mode 100644 2018/1999xxx/CVE-2018-1999036.json create mode 100644 2018/1999xxx/CVE-2018-1999037.json create mode 100644 2018/1999xxx/CVE-2018-1999038.json create mode 100644 2018/1999xxx/CVE-2018-1999039.json create mode 100644 2018/1999xxx/CVE-2018-1999040.json create mode 100644 2018/1999xxx/CVE-2018-1999041.json diff --git a/2018/1999xxx/CVE-2018-1999036.json b/2018/1999xxx/CVE-2018-1999036.json new file mode 100644 index 00000000000..53a19212102 --- /dev/null +++ b/2018/1999xxx/CVE-2018-1999036.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-704"}]},"description": {"description_data": [{"lang": "eng","value": "A exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.15 and earlier"}]},"product_name": "Jenkins SSH Agent Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-07-31T20:04:28.271874","DATE_REQUESTED": "2018-07-30T00:00:00","ID": "CVE-2018-1999036","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-532"}]}]}} \ No newline at end of file diff --git a/2018/1999xxx/CVE-2018-1999037.json b/2018/1999xxx/CVE-2018-1999037.json new file mode 100644 index 00000000000..a2cbba2755a --- /dev/null +++ b/2018/1999xxx/CVE-2018-1999037.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-997"}]},"description": {"description_data": [{"lang": "eng","value": "A data modification vulnerability exists in Jenkins Resource Disposer Plugin 0.11 and earlier in AsyncResourceDisposer.java that allows attackers to stop tracking a resource."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.11 and earlier"}]},"product_name": "Jenkins Resource Disposer Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-07-31T20:04:28.273204","DATE_REQUESTED": "2018-07-30T00:00:00","ID": "CVE-2018-1999037","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285"}]}]}} \ No newline at end of file diff --git a/2018/1999xxx/CVE-2018-1999038.json b/2018/1999xxx/CVE-2018-1999038.json new file mode 100644 index 00000000000..e05b0766e4d --- /dev/null +++ b/2018/1999xxx/CVE-2018-1999038.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-975"}]},"description": {"description_data": [{"lang": "eng","value": "A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin 0.10 and earlier in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.10 and earlier"}]},"product_name": "Jenkins Publisher Over CIFS Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-07-31T20:04:28.274237","DATE_REQUESTED": "2018-07-30T00:00:00","ID": "CVE-2018-1999038","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285"}]}]}} \ No newline at end of file diff --git a/2018/1999xxx/CVE-2018-1999039.json b/2018/1999xxx/CVE-2018-1999039.json new file mode 100644 index 00000000000..0e6e392e306 --- /dev/null +++ b/2018/1999xxx/CVE-2018-1999039.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-982"}]},"description": {"description_data": [{"lang": "eng","value": "A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.0.1 and earlier"}]},"product_name": "Jenkins Confluence Publisher Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-07-31T20:04:28.275856","DATE_REQUESTED": "2018-07-30T00:00:00","ID": "CVE-2018-1999039","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285"}]}]}} \ No newline at end of file diff --git a/2018/1999xxx/CVE-2018-1999040.json b/2018/1999xxx/CVE-2018-1999040.json new file mode 100644 index 00000000000..ce3a1684d48 --- /dev/null +++ b/2018/1999xxx/CVE-2018-1999040.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1016"}]},"description": {"description_data": [{"lang": "eng","value": "A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.10.1 and earlier in KubernetesCloud.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.10.1 and earlier"}]},"product_name": "Jenkins Kubernetes Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-07-31T20:04:28.277093","DATE_REQUESTED": "2018-07-30T00:00:00","ID": "CVE-2018-1999040","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285"}]}]}} \ No newline at end of file diff --git a/2018/1999xxx/CVE-2018-1999041.json b/2018/1999xxx/CVE-2018-1999041.json new file mode 100644 index 00000000000..f3f94264749 --- /dev/null +++ b/2018/1999xxx/CVE-2018-1999041.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-07-30/#SECURITY-840"}]},"description": {"description_data": [{"lang": "eng","value": "A exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.6.1 and earlier"}]},"product_name": "Jenkins Tinfoil Security Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-07-31T20:04:28.278144","DATE_REQUESTED": "2018-07-30T00:00:00","ID": "CVE-2018-1999041","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}} \ No newline at end of file