All the vulnerabilites related to Jenkins Project - Jenkins Sonar Gerrit Plugin
cve-2019-10467
Vulnerability from cvelistv5
Published
2019-10-23 12:45
Modified
2024-08-04 22:24
Severity ?
Summary
Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:24:18.595Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1003"
          },
          {
            "name": "[oss-security] 20191023 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/10/23/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Sonar Gerrit Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "status": "affected",
              "version": "2.3 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:50:12.202Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1003"
        },
        {
          "name": "[oss-security] 20191023 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/10/23/2"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2019-10467",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Sonar Gerrit Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "2.3 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-256"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1003",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1003"
            },
            {
              "name": "[oss-security] 20191023 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/10/23/2"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2019-10467",
    "datePublished": "2019-10-23T12:45:41",
    "dateReserved": "2019-03-29T00:00:00",
    "dateUpdated": "2024-08-04T22:24:18.595Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-46688
Vulnerability from cvelistv5
Published
2022-12-07 00:00
Modified
2024-08-03 14:39
Severity ?
Summary
A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:39:38.622Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2022-12-07/#SECURITY-1002"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Sonar Gerrit Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "377.v8f3808963dc5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unknown",
              "version": "next of 377.v8f3808963dc5",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T14:26:42.395Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "url": "https://www.jenkins.io/security/advisory/2022-12-07/#SECURITY-1002"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2022-46688",
    "datePublished": "2022-12-07T00:00:00",
    "dateReserved": "2022-12-06T00:00:00",
    "dateUpdated": "2024-08-03T14:39:38.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}