From efac9655602f1ec1ebb23c5024dda7d5431be775 Mon Sep 17 00:00:00 2001 From: Wadeck Follonier Date: Wed, 15 Jul 2020 11:58:18 +0200 Subject: [PATCH] Add CVEs for 2020-07-15 Jenkins advisory --- 2020/2xxx/CVE-2020-2220.json | 60 ++++++++++++++++++++++++++++++++---- 2020/2xxx/CVE-2020-2221.json | 60 ++++++++++++++++++++++++++++++++---- 2020/2xxx/CVE-2020-2222.json | 60 ++++++++++++++++++++++++++++++++---- 2020/2xxx/CVE-2020-2223.json | 60 ++++++++++++++++++++++++++++++++---- 2020/2xxx/CVE-2020-2224.json | 56 +++++++++++++++++++++++++++++---- 2020/2xxx/CVE-2020-2225.json | 56 +++++++++++++++++++++++++++++---- 2020/2xxx/CVE-2020-2226.json | 56 +++++++++++++++++++++++++++++---- 2020/2xxx/CVE-2020-2227.json | 56 +++++++++++++++++++++++++++++---- 2020/2xxx/CVE-2020-2228.json | 56 +++++++++++++++++++++++++++++---- 9 files changed, 466 insertions(+), 54 deletions(-) diff --git a/2020/2xxx/CVE-2020-2220.json b/2020/2xxx/CVE-2020-2220.json index 3294e9914c6..f9b9407ab6b 100644 --- a/2020/2xxx/CVE-2020-2220.json +++ b/2020/2xxx/CVE-2020-2220.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2220", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins", + "version": { + "version_data": [ + { + "version_value": "2.244", + "version_affected": "<=" + }, + { + "version_value": "LTS 2.235.1", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1868", + "url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1868", + "refsource": "CONFIRM" } ] } diff --git a/2020/2xxx/CVE-2020-2221.json b/2020/2xxx/CVE-2020-2221.json index c4d5eef8805..549582c8580 100644 --- a/2020/2xxx/CVE-2020-2221.json +++ b/2020/2xxx/CVE-2020-2221.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2221", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins", + "version": { + "version_data": [ + { + "version_value": "2.244", + "version_affected": "<=" + }, + { + "version_value": "LTS 2.235.1", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1901", + "url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1901", + "refsource": "CONFIRM" } ] } diff --git a/2020/2xxx/CVE-2020-2222.json b/2020/2xxx/CVE-2020-2222.json index 0b1729dd566..38d41db29ed 100644 --- a/2020/2xxx/CVE-2020-2222.json +++ b/2020/2xxx/CVE-2020-2222.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2222", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins", + "version": { + "version_data": [ + { + "version_value": "2.244", + "version_affected": "<=" + }, + { + "version_value": "LTS 2.235.1", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1902", + "url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1902", + "refsource": "CONFIRM" } ] } diff --git a/2020/2xxx/CVE-2020-2223.json b/2020/2xxx/CVE-2020-2223.json index 3f97b7d37d4..eee94afe2b4 100644 --- a/2020/2xxx/CVE-2020-2223.json +++ b/2020/2xxx/CVE-2020-2223.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2223", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins", + "version": { + "version_data": [ + { + "version_value": "2.244", + "version_affected": "<=" + }, + { + "version_value": "LTS 2.235.1", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1945", + "url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1945", + "refsource": "CONFIRM" } ] } diff --git a/2020/2xxx/CVE-2020-2224.json b/2020/2xxx/CVE-2020-2224.json index 836f14aed41..b456e7ee85f 100644 --- a/2020/2xxx/CVE-2020-2224.json +++ b/2020/2xxx/CVE-2020-2224.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2224", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Matrix Project Plugin", + "version": { + "version_data": [ + { + "version_value": "1.16", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Matrix Project Plugin 1.16 and earlier does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1924", + "url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1924", + "refsource": "CONFIRM" } ] } diff --git a/2020/2xxx/CVE-2020-2225.json b/2020/2xxx/CVE-2020-2225.json index 11bcdcada04..46e8e55dbee 100644 --- a/2020/2xxx/CVE-2020-2225.json +++ b/2020/2xxx/CVE-2020-2225.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2225", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Matrix Project Plugin", + "version": { + "version_data": [ + { + "version_value": "1.16", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1925", + "url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1925", + "refsource": "CONFIRM" } ] } diff --git a/2020/2xxx/CVE-2020-2226.json b/2020/2xxx/CVE-2020-2226.json index 3d2beaa1608..7519de13688 100644 --- a/2020/2xxx/CVE-2020-2226.json +++ b/2020/2xxx/CVE-2020-2226.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2226", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Matrix Authorization Strategy Plugin", + "version": { + "version_data": [ + { + "version_value": "2.6.1", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1909", + "url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1909", + "refsource": "CONFIRM" } ] } diff --git a/2020/2xxx/CVE-2020-2227.json b/2020/2xxx/CVE-2020-2227.json index f2e74f41760..5028cfbf02c 100644 --- a/2020/2xxx/CVE-2020-2227.json +++ b/2020/2xxx/CVE-2020-2227.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2227", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Deployer Framework Plugin", + "version": { + "version_data": [ + { + "version_value": "1.2", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1915", + "url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1915", + "refsource": "CONFIRM" } ] } diff --git a/2020/2xxx/CVE-2020-2228.json b/2020/2xxx/CVE-2020-2228.json index 0e46768e511..6c8c05a0c3f 100644 --- a/2020/2xxx/CVE-2020-2228.json +++ b/2020/2xxx/CVE-2020-2228.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2228", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Gitlab Authentication Plugin", + "version": { + "version_data": [ + { + "version_value": "1.5", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-269: Improper Privilege Management" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1792", + "url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1792", + "refsource": "CONFIRM" } ] }