From fce6d18d46bf16e4610b2195a63549a21aed928d Mon Sep 17 00:00:00 2001 From: Kurt Seifried Date: Tue, 19 Feb 2019 19:24:32 -0700 Subject: [PATCH] more jenkins cves --- 2019/1003xxx/CVE-2019-1003024.json | 1 + 2019/1003xxx/CVE-2019-1003025.json | 1 + 2019/1003xxx/CVE-2019-1003026.json | 1 + 2019/1003xxx/CVE-2019-1003027.json | 1 + 2019/1003xxx/CVE-2019-1003028.json | 1 + 5 files changed, 5 insertions(+) create mode 100644 2019/1003xxx/CVE-2019-1003024.json create mode 100644 2019/1003xxx/CVE-2019-1003025.json create mode 100644 2019/1003xxx/CVE-2019-1003026.json create mode 100644 2019/1003xxx/CVE-2019-1003027.json create mode 100644 2019/1003xxx/CVE-2019-1003028.json diff --git a/2019/1003xxx/CVE-2019-1003024.json b/2019/1003xxx/CVE-2019-1003024.json new file mode 100644 index 00000000000..c5ac0648f2b --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003024.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1320"}]},"description": {"description_data": [{"lang": "eng","value": "A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.52 and earlier"}]},"product_name": "Jenkins Script Security Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-19T22:20:51.846360","ID": "CVE-2019-1003024","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-693"}]}]}} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003025.json b/2019/1003xxx/CVE-2019-1003025.json new file mode 100644 index 00000000000..f80f5b20b12 --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003025.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-876"}]},"description": {"description_data": [{"lang": "eng","value": "A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.3.1 and earlier"}]},"product_name": "Jenkins Cloud Foundry Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-19T22:20:51.847148","ID": "CVE-2019-1003025","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-201"}]}]}} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003026.json b/2019/1003xxx/CVE-2019-1003026.json new file mode 100644 index 00000000000..dd733ad6e4f --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003026.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-985"}]},"description": {"description_data": [{"lang": "eng","value": "A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified Mattermost server and room and send a message."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.6.2 and earlier"}]},"product_name": "Jenkins Mattermost Notification Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-19T22:20:51.847679","ID": "CVE-2019-1003026","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-441, CWE-918, CWE-352"}]}]}} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003027.json b/2019/1003xxx/CVE-2019-1003027.json new file mode 100644 index 00000000000..d1e27aa958d --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003027.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-817"}]},"description": {"description_data": [{"lang": "eng","value": "A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.8.1 and earlier"}]},"product_name": "Jenkins OctopusDeploy Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-19T22:20:51.848292","ID": "CVE-2019-1003027","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-441, CWE-918, CWE-352"}]}]}} \ No newline at end of file diff --git a/2019/1003xxx/CVE-2019-1003028.json b/2019/1003xxx/CVE-2019-1003028.json new file mode 100644 index 00000000000..60c1e56d45c --- /dev/null +++ b/2019/1003xxx/CVE-2019-1003028.json @@ -0,0 +1 @@ +{"data_version": "4.0","references": {"reference_data": [{"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1033"}]},"description": {"description_data": [{"lang": "eng","value": "A server-side request forgery vulnerability exists in Jenkins JMS Messaging Plugin 1.1.1 and earlier in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attackers with Overall/Read permission to have Jenkins connect to a JMS endpoint."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.1.1 and earlier"}]},"product_name": "Jenkins JMS Messaging Plugin"}]},"vendor_name": "Jenkins project"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2019-02-19T22:20:51.848853","ID": "CVE-2019-1003028","ASSIGNER": "kurt@seifried.org","REQUESTER": "ml@beckweb.net"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-441, CWE-918, CWE-352"}]}]}} \ No newline at end of file