All the vulnerabilites related to Jenkins Project - Jenkins Matrix Project Plugin
cve-2019-1003031
Vulnerability from cvelistv5
Published
2019-03-08 21:00
Modified
2024-08-05 03:00
Severity ?
EPSS score ?
Summary
A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1339 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/107476 | vdb-entry, x_refsource_BID | |
| https://access.redhat.com/errata/RHSA-2019:0739 | vendor-advisory, x_refsource_REDHAT |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Jenkins project | Jenkins Matrix Project Plugin |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1339"
},
{
"name": "107476",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107476"
},
{
"name": "RHSA-2019:0739",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0739"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Matrix Project Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "1.13 and earlier"
}
]
}
],
"dateAssigned": "2019-03-06T00:00:00",
"datePublic": "2019-03-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:45:06.564Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1339"
},
{
"name": "107476",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107476"
},
{
"name": "RHSA-2019:0739",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0739"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"DATE_ASSIGNED": "2019-03-06T22:44:37.384911",
"ID": "CVE-2019-1003031",
"REQUESTER": "ml@beckweb.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Matrix Project Plugin",
"version": {
"version_data": [
{
"version_value": "1.13 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-693"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1339",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1339"
},
{
"name": "107476",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107476"
},
{
"name": "RHSA-2019:0739",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0739"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-1003031",
"datePublished": "2019-03-08T21:00:00",
"dateReserved": "2019-03-08T00:00:00",
"dateUpdated": "2024-08-05T03:00:19.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2224
Vulnerability from cvelistv5
Published
2020-07-15 17:00
Modified
2024-08-04 07:01
Severity ?
EPSS score ?
Summary
Jenkins Matrix Project Plugin 1.16 and earlier does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1924 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2020/07/15/5 | mailing-list, x_refsource_MLIST |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Jenkins project | Jenkins Matrix Project Plugin |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:01:41.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1924"
},
{
"name": "[oss-security] 20200715 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/07/15/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Matrix Project Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "1.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Matrix Project Plugin 1.16 and earlier does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:07:20.593Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1924"
},
{
"name": "[oss-security] 20200715 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/07/15/5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2020-2224",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Matrix Project Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.16"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Matrix Project Plugin 1.16 and earlier does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1924",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1924"
},
{
"name": "[oss-security] 20200715 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/07/15/5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2020-2224",
"datePublished": "2020-07-15T17:00:27",
"dateReserved": "2019-12-05T00:00:00",
"dateUpdated": "2024-08-04T07:01:41.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23900
Vulnerability from cvelistv5
Published
2024-01-24 17:52
Modified
2024-08-01 23:13
Severity ?
EPSS score ?
Summary
Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Jenkins Project | Jenkins Matrix Project Plugin |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:13:08.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Jenkins Security Advisory 2024-01-24",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3289"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/24/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jenkins Matrix Project Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThanOrEqual": "822.v01b_8c85d16d2",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers."
}
],
"providerMetadata": {
"dateUpdated": "2024-01-24T17:52:24.770Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2024-01-24",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3289"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/01/24/6"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2024-23900",
"datePublished": "2024-01-24T17:52:24.770Z",
"dateReserved": "2024-01-23T12:46:51.264Z",
"dateUpdated": "2024-08-01T23:13:08.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2225
Vulnerability from cvelistv5
Published
2020-07-15 17:00
Modified
2024-08-04 07:01
Severity ?
EPSS score ?
Summary
Jenkins Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1925 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2020/07/15/5 | mailing-list, x_refsource_MLIST |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Jenkins project | Jenkins Matrix Project Plugin |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:01:41.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1925"
},
{
"name": "[oss-security] 20200715 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/07/15/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Matrix Project Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "1.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:07:21.771Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1925"
},
{
"name": "[oss-security] 20200715 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/07/15/5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2020-2225",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Matrix Project Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.16"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1925",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1925"
},
{
"name": "[oss-security] 20200715 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/07/15/5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2020-2225",
"datePublished": "2020-07-15T17:00:28",
"dateReserved": "2019-12-05T00:00:00",
"dateUpdated": "2024-08-04T07:01:41.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-20615
Vulnerability from cvelistv5
Published
2022-01-12 19:05
Modified
2024-08-03 02:17
Severity ?
EPSS score ?
Summary
Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2022/01/12/6 | mailing-list, x_refsource_MLIST | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Jenkins project | Jenkins Matrix Project Plugin |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:17:52.951Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017"
},
{
"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Matrix Project Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "1.19",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.18.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T14:19:03.589Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017"
},
{
"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2022-20615",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Matrix Project Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.19"
},
{
"version_affected": "!",
"version_value": "1.18.1"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017",
"refsource": "CONFIRM",
"url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017"
},
{
"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2022-20615",
"datePublished": "2022-01-12T19:05:49",
"dateReserved": "2021-10-28T00:00:00",
"dateUpdated": "2024-08-03T02:17:52.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}