Jenkins CVEs

2025-06-08 14:08:13 +00:00 · 2019-03-06 14:45:30 -08:00 · 2019-03-06 14:45:30 -08:00 · f3ad0e959a
commit f3ad0e959a
parent 7903555c35
11 changed files with 11 additions and 0 deletions
--- a/2019/1003xxx/CVE-2019-1003029.json
+++ b/2019/1003xxx/CVE-2019-1003029.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(1)"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.53 and earlier"}]},"product_name": "Jenkins Script Security Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.383669","ID": "CVE-2019-1003029","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
--- a/2019/1003xxx/CVE-2019-1003030.json
+++ b/2019/1003xxx/CVE-2019-1003030.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(2)"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.63 and earlier"}]},"product_name": "Jenkins Pipeline: Groovy Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.384525","ID": "CVE-2019-1003030","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
--- a/2019/1003xxx/CVE-2019-1003031.json
+++ b/2019/1003xxx/CVE-2019-1003031.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1339"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.13 and earlier"}]},"product_name": "Jenkins Matrix Project Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.384911","ID": "CVE-2019-1003031","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
--- a/2019/1003xxx/CVE-2019-1003032.json
+++ b/2019/1003xxx/CVE-2019-1003032.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1340"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.64 and earlier"}]},"product_name": "Jenkins Email Extension Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.385288","ID": "CVE-2019-1003032","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
--- a/2019/1003xxx/CVE-2019-1003033.json
+++ b/2019/1003xxx/CVE-2019-1003033.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1338"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.1 and earlier"}]},"product_name": "Jenkins Groovy Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.385701","ID": "CVE-2019-1003033","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
--- a/2019/1003xxx/CVE-2019-1003034.json
+++ b/2019/1003xxx/CVE-2019-1003034.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1342"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.71 and earlier"}]},"product_name": "Jenkins Job DSL Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386102","ID": "CVE-2019-1003034","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}
--- a/2019/1003xxx/CVE-2019-1003035.json
+++ b/2019/1003xxx/CVE-2019-1003035.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1330"}]},"description": {"description_data": [{"lang": "eng","value": "An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java,  src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386559","ID": "CVE-2019-1003035","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-201"}]}]}}
--- a/2019/1003xxx/CVE-2019-1003036.json
+++ b/2019/1003xxx/CVE-2019-1003036.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1331"}]},"description": {"description_data": [{"lang": "eng","value": "A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.386888","ID": "CVE-2019-1003036","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-352"}]}]}}
--- a/2019/1003xxx/CVE-2019-1003037.json
+++ b/2019/1003xxx/CVE-2019-1003037.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1332"}]},"description": {"description_data": [{"lang": "eng","value": "An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.8.0 and earlier"}]},"product_name": "Jenkins Azure VM Agents Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.387239","ID": "CVE-2019-1003037","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-285, CWE-201"}]}]}}
--- a/2019/1003xxx/CVE-2019-1003038.json
+++ b/2019/1003xxx/CVE-2019-1003038.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-958"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/Repository.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/UserPwd.java that allows an attacker with local file system access or control of a Jenkins administrator\u2019s web browser (e.g. malicious extension) to retrieve the password stored in the plugin configuration."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.2.4 and earlier"}]},"product_name": "Jenkins Repository Connector Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.387698","ID": "CVE-2019-1003038","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}}
--- a/2019/1003xxx/CVE-2019-1003039.json
+++ b/2019/1003xxx/CVE-2019-1003039.json
@ -0,0 +1 @@
+{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1087"}]},"description": {"description_data": [{"lang": "eng","value": "An insufficiently protected credentials vulnerability exists in JenkinsAppDynamics Dashboard Plugin 1.0.14 and earlier in src/main/java/nl/codecentric/jenkins/appd/AppDynamicsResultsPublisher.java that allows attackers without permission to obtain passwords configured in jobs to obtain them."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.0.14 and earlier"}]},"product_name": "JenkinsAppDynamics Dashboard Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.388179","ID": "CVE-2019-1003039","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-522"}]}]}}
				`@ -0,0 +1 @@`
				{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(1)"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.53 and earlier"}]},"product_name": "Jenkins Script Security Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-03-06T22:44:37.383669","ID": "CVE-2019-1003029","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}}