From f751a67ee0b0c91b95610be99b170c1233865c62 Mon Sep 17 00:00:00 2001 From: Daniel Beck Date: Tue, 31 Aug 2021 15:47:10 +0200 Subject: [PATCH] Add CVEs for 2021-08-31 Jenkins security advisory --- 2021/21xxx/CVE-2021-21677.json | 56 +++++++++++++++++++++++++--- 2021/21xxx/CVE-2021-21678.json | 68 +++++++++++++++++++++++++++++++--- 2021/21xxx/CVE-2021-21679.json | 60 +++++++++++++++++++++++++++--- 2021/21xxx/CVE-2021-21680.json | 60 +++++++++++++++++++++++++++--- 2021/21xxx/CVE-2021-21681.json | 56 +++++++++++++++++++++++++--- 5 files changed, 270 insertions(+), 30 deletions(-) diff --git a/2021/21xxx/CVE-2021-21677.json b/2021/21xxx/CVE-2021-21677.json index 0e04a5f2c41..634a459a353 100644 --- a/2021/21xxx/CVE-2021-21677.json +++ b/2021/21xxx/CVE-2021-21677.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-21677", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Code Coverage API Plugin", + "version": { + "version_data": [ + { + "version_value": "1.4.0", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-502: Deserialization of Untrusted Data" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2376", + "url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2376", + "refsource": "CONFIRM" } ] } diff --git a/2021/21xxx/CVE-2021-21678.json b/2021/21xxx/CVE-2021-21678.json index 1c50f098c2a..aaf60ff7376 100644 --- a/2021/21xxx/CVE-2021-21678.json +++ b/2021/21xxx/CVE-2021-21678.json @@ -1,17 +1,73 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-21678", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins SAML Plugin", + "version": { + "version_data": [ + { + "version_value": "1.1.3", + "version_affected": ">=" + }, + { + "version_value": "2.0.7", + "version_affected": "<=" + }, + { + "version_value": "1.1.8", + "version_affected": "!" + }, + { + "version_value": "2.0.3.1", + "version_affected": "!" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2469", + "url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2469", + "refsource": "CONFIRM" } ] } diff --git a/2021/21xxx/CVE-2021-21679.json b/2021/21xxx/CVE-2021-21679.json index b3cbee9ce60..355223ac0a0 100644 --- a/2021/21xxx/CVE-2021-21679.json +++ b/2021/21xxx/CVE-2021-21679.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-21679", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Azure AD Plugin", + "version": { + "version_data": [ + { + "version_value": "164.v5b48baa961d2", + "version_affected": ">=" + }, + { + "version_value": "179.vf6841393099e", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-693: Protection Mechanism Failure" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2470", + "url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2470", + "refsource": "CONFIRM" } ] } diff --git a/2021/21xxx/CVE-2021-21680.json b/2021/21xxx/CVE-2021-21680.json index 8bbffe6c1d9..aca96a26f27 100644 --- a/2021/21xxx/CVE-2021-21680.json +++ b/2021/21xxx/CVE-2021-21680.json @@ -1,17 +1,65 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-21680", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Nested View Plugin", + "version": { + "version_data": [ + { + "version_value": "1.20", + "version_affected": "<=" + }, + { + "version_value": "1.19.1", + "version_affected": "!" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611: Improper Restriction of XML External Entity Reference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2411", + "url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2411", + "refsource": "CONFIRM" } ] } diff --git a/2021/21xxx/CVE-2021-21681.json b/2021/21xxx/CVE-2021-21681.json index 8bc01e2d27f..128db5a9549 100644 --- a/2021/21xxx/CVE-2021-21681.json +++ b/2021/21xxx/CVE-2021-21681.json @@ -1,17 +1,61 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-21681", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "jenkinsci-cert@googlegroups.com" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Jenkins project", + "product": { + "product_data": [ + { + "product_name": "Jenkins Nomad Plugin", + "version": { + "version_data": [ + { + "version_value": "0.7.4", + "version_affected": "<=" + } + ] + } + } + ] + } + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-256: Plaintext Storage of a Password" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396", + "url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396", + "refsource": "CONFIRM" } ] }