From dfeb8b0417b84c1ffd03dfc36285c8a6aa172469 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Wed, 9 Jan 2019 18:05:28 -0500 Subject: [PATCH] - Synchronized data. --- 2016/10xxx/CVE-2016-10736.json | 62 ++++++++++++++++++++++++ 2018/1000xxx/CVE-2018-1000406.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000407.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000408.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000409.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000410.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000411.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000412.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000413.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000414.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000415.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000416.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000417.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000418.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000419.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000420.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000421.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000422.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000423.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000424.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000425.json | 65 ++++++++++++++++++++++++- 2018/1000xxx/CVE-2018-1000426.json | 65 ++++++++++++++++++++++++- 2018/20xxx/CVE-2018-20681.json | 77 ++++++++++++++++++++++++++++++ 2018/20xxx/CVE-2018-20682.json | 62 ++++++++++++++++++++++++ 24 files changed, 1545 insertions(+), 21 deletions(-) create mode 100644 2016/10xxx/CVE-2016-10736.json create mode 100644 2018/20xxx/CVE-2018-20681.json create mode 100644 2018/20xxx/CVE-2018-20682.json diff --git a/2016/10xxx/CVE-2016-10736.json b/2016/10xxx/CVE-2016-10736.json new file mode 100644 index 00000000000..cae946c3caa --- /dev/null +++ b/2016/10xxx/CVE-2016-10736.json @@ -0,0 +1,62 @@ +{ + "CVE_data_meta" : { + "ASSIGNER" : "cve@mitre.org", + "ID" : "CVE-2016-10736", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "The \"Social Pug - Easy Social Share Buttons\" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://advisories.dxw.com/advisories/reflected-xss-in-social-pug-easy-social-share-buttons-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/", + "refsource" : "MISC", + "url" : "https://advisories.dxw.com/advisories/reflected-xss-in-social-pug-easy-social-share-buttons-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000406.json b/2018/1000xxx/CVE-2018-1000406.json index f3e79e4ad45..1d9cf2e2686 100644 --- a/2018/1000xxx/CVE-2018-1000406.json +++ b/2018/1000xxx/CVE-2018-1000406.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1074"}]},"description": {"description_data": [{"lang": "eng","value": "A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.145 and earlier, LTS 2.138.1 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.677458","ID": "CVE-2018-1000406","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-22"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.677458", + "ID" : "CVE-2018-1000406", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "2.145 and earlier, LTS 2.138.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-22" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1074", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1074" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000407.json b/2018/1000xxx/CVE-2018-1000407.json index bcaead2f38e..20af3766dc7 100644 --- a/2018/1000xxx/CVE-2018-1000407.json +++ b/2018/1000xxx/CVE-2018-1000407.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1129"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.145 and earlier, LTS 2.138.1 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.677854","ID": "CVE-2018-1000407","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-79"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.677854", + "ID" : "CVE-2018-1000407", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "2.145 and earlier, LTS 2.138.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1129", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1129" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000408.json b/2018/1000xxx/CVE-2018-1000408.json index 0237b11c12b..23eab82e3de 100644 --- a/2018/1000xxx/CVE-2018-1000408.json +++ b/2018/1000xxx/CVE-2018-1000408.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1128"}]},"description": {"description_data": [{"lang": "eng","value": "A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.145 and earlier, LTS 2.138.1 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.678236","ID": "CVE-2018-1000408","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-400"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.678236", + "ID" : "CVE-2018-1000408", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "2.145 and earlier, LTS 2.138.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in Jenkins user database security realm that results in the creation of an ephemeral user record in memory." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-400" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1128", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1128" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000409.json b/2018/1000xxx/CVE-2018-1000409.json index baf2e680d4f..107dcb7027a 100644 --- a/2018/1000xxx/CVE-2018-1000409.json +++ b/2018/1000xxx/CVE-2018-1000409.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1158"}]},"description": {"description_data": [{"lang": "eng","value": "A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.145 and earlier, LTS 2.138.1 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.678623","ID": "CVE-2018-1000409","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-384"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.678623", + "ID" : "CVE-2018-1000409", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "2.145 and earlier, LTS 2.138.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-384" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1158", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-1158" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000410.json b/2018/1000xxx/CVE-2018-1000410.json index 1695fd2f62e..166fad7526d 100644 --- a/2018/1000xxx/CVE-2018-1000410.json +++ b/2018/1000xxx/CVE-2018-1000410.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-765"}]},"description": {"description_data": [{"lang": "eng","value": "An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.145 and earlier, LTS 2.138.1 and earlier"}]},"product_name": "Jenkins"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.679069","ID": "CVE-2018-1000410","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-312"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.679069", + "ID" : "CVE-2018-1000410", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins", + "version" : { + "version_data" : [ + { + "version_value" : "2.145 and earlier, LTS 2.138.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An information exposure vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier, and the Stapler framework used by these releases, in core/src/main/java/org/kohsuke/stapler/RequestImpl.java, core/src/main/java/hudson/model/Descriptor.java that allows attackers with Overall/Administer permission or access to the local file system to obtain credentials entered by users if the form submission could not be successfully processed." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-312" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-765", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-10-10/#SECURITY-765" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000411.json b/2018/1000xxx/CVE-2018-1000411.json index f8c6e703d62..acbdd2b42e4 100644 --- a/2018/1000xxx/CVE-2018-1000411.json +++ b/2018/1000xxx/CVE-2018-1000411.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.25 and earlier"}]},"product_name": "Jenkins JUnit Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.679451","ID": "CVE-2018-1000411","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-352"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.679451", + "ID" : "CVE-2018-1000411", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins JUnit Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "1.25 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-352" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000412.json b/2018/1000xxx/CVE-2018-1000412.json index 4f7479ff097..79c36f45a21 100644 --- a/2018/1000xxx/CVE-2018-1000412.json +++ b/2018/1000xxx/CVE-2018-1000412.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1029"}]},"description": {"description_data": [{"lang": "eng","value": "An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "3.0.1 and earlier"}]},"product_name": "Jenkins Jira Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.679835","ID": "CVE-2018-1000412","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-200"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.679835", + "ID" : "CVE-2018-1000412", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Jira Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "3.0.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An improper authorization vulnerability exists in Jenkins Jira Plugin 3.0.1 and earlier in JiraSite.java that allows attackers with Overall/Read access to have Jenkins connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-285, CWE-200" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1029", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1029" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000413.json b/2018/1000xxx/CVE-2018-1000413.json index cf771cb4295..58bf25d60c3 100644 --- a/2018/1000xxx/CVE-2018-1000413.json +++ b/2018/1000xxx/CVE-2018-1000413.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1080"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "3.1 and earlier"}]},"product_name": "Jenkins Config File Provider Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.680270","ID": "CVE-2018-1000413","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-79"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.680270", + "ID" : "CVE-2018-1000413", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Config File Provider Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "3.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1080", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1080" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000414.json b/2018/1000xxx/CVE-2018-1000414.json index 285b0459752..0902b6befb0 100644 --- a/2018/1000xxx/CVE-2018-1000414.json +++ b/2018/1000xxx/CVE-2018-1000414.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-938"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "3.1 and earlier"}]},"product_name": "Jenkins Config File Provider Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.680814","ID": "CVE-2018-1000414","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-352"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.680814", + "ID" : "CVE-2018-1000414", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Config File Provider Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "3.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site request forgery vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in ConfigFilesManagement.java, FolderConfigFileAction.java that allows creating and editing configuration file definitions." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-352" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-938", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-938" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000415.json b/2018/1000xxx/CVE-2018-1000415.json index 6382caef551..9ff4d450b44 100644 --- a/2018/1000xxx/CVE-2018-1000415.json +++ b/2018/1000xxx/CVE-2018-1000415.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-130"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugin 1.28 and earlier in RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly, RebuildAction/ListSubversionTagsParameterValue.jelly, RebuildAction/MavenMetadataParameterValue.jelly, RebuildAction/NodeParameterValue.jelly, RebuildAction/PasswordParameterValue.jelly, RebuildAction/RandomStringParameterValue.jelly, RebuildAction/RunParameterValue.jelly, RebuildAction/StringParameterValue.jelly, RebuildAction/TextParameterValue.jelly, RebuildAction/ValidatingStringParameterValue.jelly that allows users with Job/Configuration permission to insert arbitrary HTML into rebuild forms"}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.28 and earlier"}]},"product_name": "Jenkins Rebuilder Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.681345","ID": "CVE-2018-1000415","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-79"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.681345", + "ID" : "CVE-2018-1000415", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Rebuilder Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "1.28 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugin 1.28 and earlier in RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly, RebuildAction/ListSubversionTagsParameterValue.jelly, RebuildAction/MavenMetadataParameterValue.jelly, RebuildAction/NodeParameterValue.jelly, RebuildAction/PasswordParameterValue.jelly, RebuildAction/RandomStringParameterValue.jelly, RebuildAction/RunParameterValue.jelly, RebuildAction/StringParameterValue.jelly, RebuildAction/TextParameterValue.jelly, RebuildAction/ValidatingStringParameterValue.jelly that allows users with Job/Configuration permission to insert arbitrary HTML into rebuild forms." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-130", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-130" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000416.json b/2018/1000xxx/CVE-2018-1000416.json index 69f03888371..18acfd125c9 100644 --- a/2018/1000xxx/CVE-2018-1000416.json +++ b/2018/1000xxx/CVE-2018-1000416.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1130"}]},"description": {"description_data": [{"lang": "eng","value": "A reflected cross-site scripting vulnerability exists in Jenkins Job Config History Plugin 2.18 and earlier in all Jelly files that shows arbitrary attacker-specified HTML in Jenkins to users with Job/Configure access"}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.18 and earlier"}]},"product_name": "Jenkins Job Config History Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.681796","ID": "CVE-2018-1000416","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-79"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.681796", + "ID" : "CVE-2018-1000416", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Job Config History Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.18 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A reflected cross-site scripting vulnerability exists in Jenkins Job Config History Plugin 2.18 and earlier in all Jelly files that shows arbitrary attacker-specified HTML in Jenkins to users with Job/Configure access." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1130", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1130" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000417.json b/2018/1000xxx/CVE-2018-1000417.json index 6103b001b65..84d14addf59 100644 --- a/2018/1000xxx/CVE-2018-1000417.json +++ b/2018/1000xxx/CVE-2018-1000417.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1125"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.0 and earlier"}]},"product_name": "Jenkins Email Extension Template Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.682196","ID": "CVE-2018-1000417","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-352"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.682196", + "ID" : "CVE-2018-1000417", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Email Extension Template Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "1.0 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site request forgery vulnerability exists in Jenkins Email Extension Template Plugin 1.0 and earlier in ExtEmailTemplateManagement.java that allows creating or removing templates." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-352" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1125", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1125" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000418.json b/2018/1000xxx/CVE-2018-1000418.json index 0eb077d8275..439bee13679 100644 --- a/2018/1000xxx/CVE-2018-1000418.json +++ b/2018/1000xxx/CVE-2018-1000418.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-984%20(1)"}]},"description": {"description_data": [{"lang": "eng","value": "An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to send test notifications to an attacker-specified HipChat server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.2.0 and earlier"}]},"product_name": "Jenkins HipChat Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.682708","ID": "CVE-2018-1000418","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-200"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.682708", + "ID" : "CVE-2018-1000418", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins HipChat Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.2.0 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to send test notifications to an attacker-specified HipChat server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-285, CWE-200" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-984%20(1)", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-984%20(1)" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000419.json b/2018/1000xxx/CVE-2018-1000419.json index d7d26aff6b3..36b02ab7991 100644 --- a/2018/1000xxx/CVE-2018-1000419.json +++ b/2018/1000xxx/CVE-2018-1000419.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-984%20(2)"}]},"description": {"description_data": [{"lang": "eng","value": "An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.2.0 and earlier"}]},"product_name": "Jenkins HipChat Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.683171","ID": "CVE-2018-1000419","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-200"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.683171", + "ID" : "CVE-2018-1000419", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins HipChat Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.2.0 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-285, CWE-200" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-984%20(2)", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-984%20(2)" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000420.json b/2018/1000xxx/CVE-2018-1000420.json index 2ba5d2b02ba..a7974792f4c 100644 --- a/2018/1000xxx/CVE-2018-1000420.json +++ b/2018/1000xxx/CVE-2018-1000420.json @@ -1 +1,64 @@ -{"data_version":"4.0","references":{"reference_data":[{"url":"https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(1)"}]},"description":{"description_data":[{"lang":"eng","value":"An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins."}]},"data_type":"CVE","affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"version":{"version_data":[{"version_value":"0.17.1 and earlier"}]},"product_name":"Jenkins Mesos Plugin"}]},"vendor_name":"Jenkins project"}]}},"CVE_data_meta":{"DATE_ASSIGNED":"2018-12-28T04:34:37.683653","ID":"CVE-2018-1000420","ASSIGNER":"kurt@seifried.org","REQUESTER":"ml@beckweb.net"},"data_format":"MITRE","problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-285, CWE-200"}]}]}} +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.683653", + "ID" : "CVE-2018-1000420", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Mesos Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "0.17.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to obtain credentials IDs for credentials stored in Jenkins." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-285, CWE-200" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(1)", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(1)" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000421.json b/2018/1000xxx/CVE-2018-1000421.json index a803007c43c..41c635776e1 100644 --- a/2018/1000xxx/CVE-2018-1000421.json +++ b/2018/1000xxx/CVE-2018-1000421.json @@ -1 +1,64 @@ -{"data_version":"4.0","references":{"reference_data":[{"url":"https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(2)"}]},"description":{"description_data":[{"lang":"eng","value":"An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."}]},"data_type":"CVE","affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"version":{"version_data":[{"version_value":"0.17.1 and earlier"}]},"product_name":"Jenkins Mesos Plugin"}]},"vendor_name":"Jenkins project"}]}},"CVE_data_meta":{"DATE_ASSIGNED":"2018-12-28T04:34:37.684154","ID":"CVE-2018-1000421","ASSIGNER":"kurt@seifried.org","REQUESTER":"ml@beckweb.net"},"data_format":"MITRE","problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-285, CWE-200"}]}]}} +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.684154", + "ID" : "CVE-2018-1000421", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Mesos Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "0.17.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-285, CWE-200" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(2)", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1013%20(2)" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000422.json b/2018/1000xxx/CVE-2018-1000422.json index 7d33f3b85be..201adbe5ec9 100644 --- a/2018/1000xxx/CVE-2018-1000422.json +++ b/2018/1000xxx/CVE-2018-1000422.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1067"}]},"description": {"description_data": [{"lang": "eng","value": "An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.0.0 and earlier"}]},"product_name": "Jenkins Crowd 2 Integration Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.684868","ID": "CVE-2018-1000422","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.684868", + "ID" : "CVE-2018-1000422", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Crowd 2 Integration Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.0.0 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An improper authorization vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java that allows attackers to have Jenkins perform a connection test, connecting to an attacker-specified server with attacker-specified credentials and connection settings." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-285" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1067", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1067" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000423.json b/2018/1000xxx/CVE-2018-1000423.json index 4fc11197e4b..f6924195308 100644 --- a/2018/1000xxx/CVE-2018-1000423.json +++ b/2018/1000xxx/CVE-2018-1000423.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1068"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain the credentials used to connect to Crowd 2."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.0.0 and earlier"}]},"product_name": "Jenkins Crowd 2 Integration Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.685327","ID": "CVE-2018-1000423","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.685327", + "ID" : "CVE-2018-1000423", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Crowd 2 Integration Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.0.0 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain the credentials used to connect to Crowd 2." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-522" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1068", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1068" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000424.json b/2018/1000xxx/CVE-2018-1000424.json index 90beb9de421..580e4c6f1c2 100644 --- a/2018/1000xxx/CVE-2018-1000424.json +++ b/2018/1000xxx/CVE-2018-1000424.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-265"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.16.1 and earlier"}]},"product_name": "Jenkins Artifactory Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.685776","ID": "CVE-2018-1000424","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.685776", + "ID" : "CVE-2018-1000424", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Artifactory Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.16.1 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-522" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-265", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-265" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000425.json b/2018/1000xxx/CVE-2018-1000425.json index babb979d2ea..13a534ffc5f 100644 --- a/2018/1000xxx/CVE-2018-1000425.json +++ b/2018/1000xxx/CVE-2018-1000425.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1163"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to SonarQube."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.8 and earlier"}]},"product_name": "Jenkins SonarQube Scanner Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.686252","ID": "CVE-2018-1000425","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.686252", + "ID" : "CVE-2018-1000425", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins SonarQube Scanner Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.8 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to SonarQube." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-522" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1163", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1163" + } + ] + } +} diff --git a/2018/1000xxx/CVE-2018-1000426.json b/2018/1000xxx/CVE-2018-1000426.json index bd2f10729ac..4d9122892db 100644 --- a/2018/1000xxx/CVE-2018-1000426.json +++ b/2018/1000xxx/CVE-2018-1000426.json @@ -1 +1,64 @@ -{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1122"}]},"description": {"description_data": [{"lang": "eng","value": "A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.6 and earlier"}]},"product_name": "Jenkins Git Changelog Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-12-28T04:34:37.686723","ID": "CVE-2018-1000426","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-79"}]}]}} \ No newline at end of file +{ + "CVE_data_meta" : { + "ASSIGNER" : "kurt@seifried.org", + "DATE_ASSIGNED" : "2018-12-28T04:34:37.686723", + "ID" : "CVE-2018-1000426", + "REQUESTER" : "ml@beckweb.net", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "Jenkins Git Changelog Plugin", + "version" : { + "version_data" : [ + { + "version_value" : "2.6 and earlier" + } + ] + } + } + ] + }, + "vendor_name" : "Jenkins project" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "CWE-79" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1122", + "refsource" : "CONFIRM", + "url" : "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1122" + } + ] + } +} diff --git a/2018/20xxx/CVE-2018-20681.json b/2018/20xxx/CVE-2018-20681.json new file mode 100644 index 00000000000..83a39ccb1c1 --- /dev/null +++ b/2018/20xxx/CVE-2018-20681.json @@ -0,0 +1,77 @@ +{ + "CVE_data_meta" : { + "ASSIGNER" : "cve@mitre.org", + "ID" : "CVE-2018-20681", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "mate-screensaver before 1.20.2 in MATE Desktop Environment allows physically proximate attackers to view screen content and possibly control applications. By unplugging and re-plugging or power-cycling external output devices (such as additionally attached graphical outputs via HDMI, VGA, DVI, etc.) the content of a screensaver-locked session can be revealed. In some scenarios, the attacker can execute applications, such as by clicking with a mouse." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://github.com/mate-desktop/mate-screensaver/issues/152", + "refsource" : "MISC", + "url" : "https://github.com/mate-desktop/mate-screensaver/issues/152" + }, + { + "name" : "https://github.com/mate-desktop/mate-screensaver/issues/155", + "refsource" : "MISC", + "url" : "https://github.com/mate-desktop/mate-screensaver/issues/155" + }, + { + "name" : "https://github.com/mate-desktop/mate-screensaver/issues/170", + "refsource" : "MISC", + "url" : "https://github.com/mate-desktop/mate-screensaver/issues/170" + }, + { + "name" : "https://github.com/mate-desktop/mate-screensaver/pull/167", + "refsource" : "MISC", + "url" : "https://github.com/mate-desktop/mate-screensaver/pull/167" + } + ] + } +} diff --git a/2018/20xxx/CVE-2018-20682.json b/2018/20xxx/CVE-2018-20682.json new file mode 100644 index 00000000000..357e08fdead --- /dev/null +++ b/2018/20xxx/CVE-2018-20682.json @@ -0,0 +1,62 @@ +{ + "CVE_data_meta" : { + "ASSIGNER" : "cve@mitre.org", + "ID" : "CVE-2018-20682", + "STATE" : "PUBLIC" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ + { + "product" : { + "product_data" : [ + { + "product_name" : "n/a", + "version" : { + "version_data" : [ + { + "version_value" : "n/a" + } + ] + } + } + ] + }, + "vendor_name" : "n/a" + } + ] + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "Fork CMS 5.0.6 allows stored XSS via the private/en/settings facebook_admin_ids parameter (aka \"Admin ids\" input in the Facebook section)." + } + ] + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "n/a" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "name" : "https://www.netsparker.com/web-applications-advisories/ns-18-032-stored-cross-site-scripting-in-forkcms/", + "refsource" : "MISC", + "url" : "https://www.netsparker.com/web-applications-advisories/ns-18-032-stored-cross-site-scripting-in-forkcms/" + } + ] + } +}