nvd-json-data-feeds/CVE-2019/CVE-2019-10030xx/CVE-2019-1003011.json

{
  "id": "CVE-2019-1003011",
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "published": "2019-02-06T16:29:00.623",
  "lastModified": "2020-09-29T00:50:31.817",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de exposici\u00f3n de informaci\u00f3n en Jenkins Token Macro Plugin, en versiones 2.5 y anteriores, en src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java y src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java, que permite que los atacantes con la capacidad de controlar entradas de macros de tokens (como los registros de cambios de SCM) definan entradas recursivas que resultan en una evaluaci\u00f3n inesperada de las macros."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "SINGLE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.5
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.0,
        "impactScore": 4.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-674"
        }
      ]
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-674"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:jenkins:token_macro:*:*:*:*:*:jenkins:*:*",
              "versionEndIncluding": "2.5",
              "matchCriteriaId": "4798BE21-A4AD-4B21-A194-0184FB2C076C"
            }
          ]
        }
      ]
    },
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://access.redhat.com/errata/RHBA-2019:0326",
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://access.redhat.com/errata/RHBA-2019:0327",
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102",
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}