Vulnerability-Lookup - Search a vulnerability

Vulnerability from fkie_nvd

Published

2018-03-13 13:29

Modified

2024-11-21 03:39

Severity ?

5.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users.

References

▼	URL	Tags
	cve@mitre.org	https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	git	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "0DC5520F-CF17-4998-B1CF-52B581E42D18",
              "versionEndIncluding": "3.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de autorizaci\u00f3n incorrecta en el plugin Git para Jenkins, en versiones 3.7.0 y anteriores, en GitStatus.java que permite que un atacante con acceso de red obtenga una lista de nodos y usuarios."
    }
  ],
  "id": "CVE-2018-1000110",
  "lastModified": "2024-11-21T03:39:39.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-03-13T13:29:00.640",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2022-07-27 15:15

Modified

2024-11-21 07:13

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

References

URL	Tags
jenkinsci-cert@googlegroups.com	http://www.openwall.com/lists/oss-security/2022/07/27/1	Mailing List, Third Party Advisory
jenkinsci-cert@googlegroups.com	https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/07/27/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	git	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "3CFA4D2B-B59E-406D-81B2-D1E91B0DABB9",
              "versionEndIncluding": "4.11.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causar que comprueben un commit especificado por el atacante"
    }
  ],
  "id": "CVE-2022-36882",
  "lastModified": "2024-11-21T07:13:58.690",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-07-27T15:15:08.827",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2017-10-05 01:29

Modified

2024-11-21 03:04

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.

References

URL	Tags
cve@mitre.org	http://www.securityfocus.com/bid/100435	Third Party Advisory, VDB Entry
cve@mitre.org	https://jenkins.io/security/advisory/2017-07-10/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/100435	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://jenkins.io/security/advisory/2017-07-10/	Vendor Advisory

Impacted products

Vendor	Product	Version
jenkins	git	0.1.0
jenkins	git	0.2.0
jenkins	git	0.3.0
jenkins	git	0.4.0
jenkins	git	0.5.0
jenkins	git	0.6.0
jenkins	git	0.7.0
jenkins	git	0.7.1
jenkins	git	0.7.2
jenkins	git	0.7.3
jenkins	git	0.8.0
jenkins	git	0.8.1
jenkins	git	0.8.2
jenkins	git	0.9.0
jenkins	git	0.9.1
jenkins	git	0.9.2
jenkins	git	1.0.0
jenkins	git	1.0.1
jenkins	git	1.1.0
jenkins	git	1.1.1
jenkins	git	1.1.2
jenkins	git	1.1.3
jenkins	git	1.1.4
jenkins	git	1.1.5
jenkins	git	1.1.6
jenkins	git	1.1.7
jenkins	git	1.1.8
jenkins	git	1.1.9
jenkins	git	1.1.10
jenkins	git	1.1.11
jenkins	git	1.1.12
jenkins	git	1.1.13
jenkins	git	1.1.14
jenkins	git	1.1.15
jenkins	git	1.1.16
jenkins	git	1.1.17
jenkins	git	1.1.18
jenkins	git	1.1.19
jenkins	git	1.1.20
jenkins	git	1.1.21
jenkins	git	1.1.22
jenkins	git	1.1.23
jenkins	git	1.1.24
jenkins	git	1.1.25
jenkins	git	1.1.26
jenkins	git	1.1.27
jenkins	git	1.1.28
jenkins	git	1.1.29
jenkins	git	1.2.0
jenkins	git	1.3.0
jenkins	git	1.4.0
jenkins	git	1.5.0
jenkins	git	1.6.0
jenkins	git	2.0.0
jenkins	git	2.0.0
jenkins	git	2.0.0
jenkins	git	2.0.0
jenkins	git	2.0.0
jenkins	git	2.0.1
jenkins	git	2.0.2
jenkins	git	2.0.3
jenkins	git	2.0.4
jenkins	git	2.1.0
jenkins	git	2.2.0
jenkins	git	2.2.1
jenkins	git	2.2.2
jenkins	git	2.2.3
jenkins	git	2.2.4
jenkins	git	2.2.5
jenkins	git	2.2.6
jenkins	git	2.2.7
jenkins	git	2.2.8
jenkins	git	2.2.9
jenkins	git	2.2.10
jenkins	git	2.2.11
jenkins	git	2.2.12
jenkins	git	2.3.0
jenkins	git	2.3.0
jenkins	git	2.3.0
jenkins	git	2.3.0
jenkins	git	2.3.0
jenkins	git	2.3.1
jenkins	git	2.3.2
jenkins	git	2.3.3
jenkins	git	2.3.4
jenkins	git	2.3.5
jenkins	git	2.4.0
jenkins	git	2.4.1
jenkins	git	2.4.2
jenkins	git	2.4.3
jenkins	git	2.4.4
jenkins	git	2.5.0
jenkins	git	2.5.0
jenkins	git	2.5.0
jenkins	git	2.5.0
jenkins	git	2.5.0
jenkins	git	2.5.0
jenkins	git	2.5.1
jenkins	git	2.5.2
jenkins	git	2.5.3
jenkins	git	2.6.0
jenkins	git	2.6.1
jenkins	git	2.6.2
jenkins	git	2.6.2
jenkins	git	2.6.2
jenkins	git	2.6.4
jenkins	git	2.6.5
jenkins	git	3.0.0
jenkins	git	3.0.0
jenkins	git	3.0.0
jenkins	git	3.0.1
jenkins	git	3.0.2
jenkins	git	3.0.2
jenkins	git	3.0.2
jenkins	git	3.0.3
jenkins	git	3.0.4
jenkins	git	3.0.5
jenkins	git	3.1.0
jenkins	git	3.2.0
jenkins	git	3.3.0
jenkins	git	3.3.1
jenkins	git	3.4.0
jenkins	git	3.4.0
jenkins	git	3.4.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.1.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "DB4E4FC0-7580-4FBB-A139-797A60357EB4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.2.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "677080D2-F865-4F8E-A950-690C063E8078",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.3.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "46B3B5C9-5D20-4D53-921E-160B1ABB338C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.4.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "67C09409-E8DF-4174-B276-3C09DAB8CCD3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.5.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "AFA7DF0D-10B2-42E8-A721-601A47CB8E7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.6.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "819379AD-978B-498B-98FC-ACD7BB0426FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.7.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "16A1E997-1499-45EA-9DE4-9E30A071957A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.7.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "2A50E52B-25F2-41CA-98AA-FAB65AB993FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.7.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "E0F1D344-77AC-4FB0-A12A-3E03CCB34E3B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.7.3:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "B7754A95-AF91-49EF-8965-7E63AB1CCAFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.8.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1F589112-DEFC-4BC8-81A7-72DD2BC1FA0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.8.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "3CBF17E0-B324-49C0-AD5C-141D456CCC28",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.8.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "D41DA62C-75DC-46BC-B300-46EDDDCF456A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.9.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "AFB68276-8776-4293-A762-5B2FE1862892",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.9.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "7FBCE99F-BF42-4126-8CCC-93927427293E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:0.9.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "A8022A06-6A26-4BD4-82D5-C31E944B5425",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.0.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "8F3F756A-02CC-4680-9C4D-B8913F54078F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.0.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1B09D69F-639C-43BA-856F-A0B61E43D66B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "A3298505-24F3-4335-9257-9FE6208B14FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "4526FCB4-1CFB-48A8-84AF-65267A1AF61E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "0606E95F-66B8-4FE9-8B9E-0D110E3C0380",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.3:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "345AF76C-A05F-477E-96DA-D81E55F51397",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.4:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "4E619E21-218E-42E9-8B49-55ED5B6D1707",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.5:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "365AE461-27A5-4027-B3FB-911D073CDF76",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.6:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "323964F0-4A7A-4C78-BF55-3536682501C0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.7:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "63A0EF35-CF43-4025-BDF0-782D995BDA13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.8:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "99A5279C-041F-4E4F-916E-FA3C7E337095",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.9:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "54805166-D56E-47BE-8ED6-3934C7D37573",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.10:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "F488A22E-32B4-4F48-9147-39A08868D21C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.11:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "2035150A-915D-4A3D-9E31-A07A26419347",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.12:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "FF7D4054-7393-4797-B029-218D6346F05B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.13:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "F3180557-DB1A-4DF1-A1A2-CAC7953A55D2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.14:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "0BA98018-F0DD-4338-9892-AA1B5F336A01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.15:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "8463B4B8-F656-47C3-86DA-572C3C6C26F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.16:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "4ABD72A1-3802-432F-82B9-8620DEBF9736",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.17:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "F3758A9E-63E3-4D19-87F2-DD9EAE3805EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.18:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "15969DE6-CEF4-4E11-89C2-CA16A9EFA62A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.19:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "142BCBAC-8779-4CAF-8B40-BBDFC655CC32",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.20:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "3C1EC783-A402-48A6-8EC4-354009927118",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.21:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "18C6971D-A64A-40E7-8699-319FB9C5C012",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.22:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "00D49A22-8E40-4D90-9637-3983EE5A00D2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.23:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1BBC99C6-A757-4F50-B8D8-06E2D184F802",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.24:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "BAD742A3-0968-4125-8470-A606EF704EA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.25:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "8E1AA9C6-9298-4194-9E2B-1239CF5340F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.26:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "223A2980-F9B1-4487-A722-E5EB1C490A6B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.27:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "04662411-8E1B-4475-9775-5486AFEA8CA5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.28:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "E216DB21-0479-43A9-92E3-E8B7DD21D98D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.1.29:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "9E0AC53B-F90C-4A43-B5DD-3AAD55A36668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.2.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "CDF0EE94-AB3B-4A53-B681-AEFD1B25CFC7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.3.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "676B8587-D103-4289-AAE7-AEC669901348",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.4.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "52790BF9-338F-48E0-8589-8B12CD841577",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.5.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "C89707D1-2517-414D-B4B8-7458F87C527D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:1.6.0:beta-1:*:*:*:jenkins:*:*",
              "matchCriteriaId": "DDE9A7CC-4941-4C6B-8C9E-E4FDC6A857C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.0.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "C3A56B14-5584-42D2-B612-D62B064806AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.0.0:alpha-1:*:*:*:jenkins:*:*",
              "matchCriteriaId": "93E6C099-AA06-405D-8711-657D83962EC8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.0.0:alpha-2:*:*:*:jenkins:*:*",
              "matchCriteriaId": "00FB7EF8-0ED4-49EC-A43E-FE774B495656",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.0.0:beta-2:*:*:*:jenkins:*:*",
              "matchCriteriaId": "23F164E6-F9E1-4A3F-A3BC-48B2537DBA68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.0.0:beta-3:*:*:*:jenkins:*:*",
              "matchCriteriaId": "76FDF0F0-F6E9-49EE-9BC7-2BFA59E970B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.0.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "084E37A1-4446-44C7-845A-CCEA77A6CF6B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.0.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "23971890-1FD6-49AF-B14D-3435B05EAE51",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.0.3:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "E321BB4A-CD62-47A5-8E41-28B2FAD72DFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.0.4:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1DFDB0FE-F09B-46ED-8595-D673DCE03250",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.1.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "09CFCF17-D7ED-4F0B-95F6-21ECAF4DBAC7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "612D9AC8-996C-4AB2-9221-57A735A757CB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "C9D2156A-2461-45D7-BFDA-48E1A1607042",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "2D0960CF-E96D-4750-93C3-A6BDE67E4534",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.3:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "30C24C33-FEFF-47DC-A608-646F3D64B260",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.4:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "4A9A2E1B-5803-418A-8A40-674711037117",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.5:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1C5AB485-17A4-4525-9D32-8032B0414DB1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.6:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "2E86B79A-3574-4A6E-A8C3-1706790709BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.7:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "A8F007EC-A886-4544-9E83-8BABFFE9CA0B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.8:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "40912236-69A3-4E2D-BD91-217FE52DCFBB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.9:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "F830CEAC-AA1C-4B64-BFAD-FE9296BEF571",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.10:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "AC18C7E1-D808-401F-A97A-9631E35DA7D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.11:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "83A4C949-8A88-48FC-841E-DF9944E7D85D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.2.12:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "09677FA9-1411-4FFF-A5B7-93758B1A455E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.3.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "41EC1109-DFE3-4BF5-BE6F-CEBDE78C05D0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.3.0:beta-1:*:*:*:jenkins:*:*",
              "matchCriteriaId": "219FDFBE-AEBC-4DFE-AEC0-2E87AEB79BBF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.3.0:beta-2:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1BA545CA-4F7A-4C86-8AF8-7733F5FD94D2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.3.0:beta-3:*:*:*:jenkins:*:*",
              "matchCriteriaId": "3D82424E-26BE-445F-8B98-AC89616CBE21",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.3.0:beta-4:*:*:*:jenkins:*:*",
              "matchCriteriaId": "5A7D44A1-A926-4321-9B8D-C8A02901C685",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.3.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "F0C9E21F-B5E8-4072-9405-75E503DAFABF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.3.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "D77AA97E-55FD-4D7F-86B7-DFAD6C330A71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.3.3:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "FA8DA453-C09F-4745-B056-057EDB7D93DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.3.4:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "F7B17F60-E1E6-4E5C-B91B-F8CCEDBC1EE5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.3.5:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "AAFAA96E-76B5-4D11-939C-DBE647200F60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.4.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "DA1B861E-8E14-4B28-9110-790AA5225820",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.4.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "0B64FBA4-E28E-4560-922D-EE750EF1A5A8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.4.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "AA791F81-C8BB-4C76-840C-6A338CD14B56",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.4.3:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1BF74B44-160D-4C12-8F42-33320D14F42F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.4.4:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "3B043F28-8821-47EA-AA0D-1BABD293B226",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.5.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "01D52B58-F3E9-41D3-9F63-FA7FD52D07B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.5.0:beta-1:*:*:*:jenkins:*:*",
              "matchCriteriaId": "6284EE03-B9C8-416B-8AFE-E9DF69BBDFE3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.5.0:beta-2:*:*:*:jenkins:*:*",
              "matchCriteriaId": "73C9FBCC-8EA0-4364-A07B-1D3313BD60A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.5.0:beta-3:*:*:*:jenkins:*:*",
              "matchCriteriaId": "C74DB2EA-CCB6-4419-9895-9EBAB0B10497",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.5.0:beta-4:*:*:*:jenkins:*:*",
              "matchCriteriaId": "F6C95AAC-8D8D-4641-984B-03543ACA742A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.5.0:beta-5:*:*:*:jenkins:*:*",
              "matchCriteriaId": "95CC9043-A604-4159-B088-144E22FC2692",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.5.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "A3691557-61F0-493D-BB07-31DC514AC6E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.5.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "62855947-0D7A-43E4-AA13-8ACE828670DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.5.3:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1F0007C3-E62F-4967-B5D8-D32AD59032DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.6.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "D74818F0-D227-4C20-A00B-98D9F90C0DEB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.6.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "849FE2D4-6821-4FB7-A63A-4DB69F5E760D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.6.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1BA36392-D2A2-48FE-A0DA-F0506B8F4DA2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.6.2:beta-1:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1D7871F7-0464-4FE8-BE25-F1850E50FD34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.6.2:beta-2:*:*:*:jenkins:*:*",
              "matchCriteriaId": "1F0491FA-ABC1-4F8A-8EC1-28B6A6DCE98E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.6.4:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "DAF4DF9B-1A13-4E97-8EA7-314920CCFD27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:2.6.5:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "B80C0DD3-D13E-4BE3-A725-D6F30C76539B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.0.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "64EB6FCA-F51A-4E19-8295-D33EC3C2F2A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.0.0:beta-1:*:*:*:jenkins:*:*",
              "matchCriteriaId": "F4004DD0-FA0F-496D-B55A-532BC2AC9C4E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.0.0:beta-2:*:*:*:jenkins:*:*",
              "matchCriteriaId": "D50CF5BC-9DF3-4470-A251-FB9A293C6474",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.0.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "FFAE336E-F298-4DFE-A962-E12992F4E261",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.0.2:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "4A9CDB02-9046-4CEB-92DD-A543A9CCD60D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.0.2:beta-1:*:*:*:jenkins:*:*",
              "matchCriteriaId": "9CEDCC1A-D893-4BC6-8F76-664E770A7282",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.0.2:beta-2:*:*:*:jenkins:*:*",
              "matchCriteriaId": "24FD6C60-A3ED-40D6-A81F-3F0E4B0F565D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.0.3:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "6EFE4D87-9963-446E-85EC-9FB87D4A62DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.0.4:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "659C6AE8-7FBA-48CD-B7D7-50775163B920",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.0.5:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "8FF05032-310B-4CB7-A658-0D27852A03DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.1.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "71A8E89B-39E9-4B5A-B814-B4981BB158E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.2.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "B9567E6E-50BA-436A-82C8-B59BA8B75F9B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.3.0:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "7644636A-C6B9-4502-95B6-E7083D62AD35",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.3.1:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "7FFA6D47-FC31-4E7D-BACE-8A57BB674AC0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.4.0:alpha-1:*:*:*:jenkins:*:*",
              "matchCriteriaId": "903074CE-C5D6-4BCF-A7E3-44C490510756",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.4.0:alpha-4:*:*:*:jenkins:*:*",
              "matchCriteriaId": "AA7E1D39-4A57-4A1D-9D3A-33E48E4C0790",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:git:3.4.0:beta-1:*:*:*:jenkins:*:*",
              "matchCriteriaId": "5D749ADF-C75A-4C90-8735-50E12564838E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server."
    },
    {
      "lang": "es",
      "value": "El plugin Git se conecta a un repositorio de Git especificado por el usuario como parte de la validaci\u00f3n de formularios. Un atacante que no tenga acceso directo a Jenkins pero que pueda adivinar un ID de credenciales de nombre de usuario/contrase\u00f1a podr\u00eda enga\u00f1ar a un desarrollador con permisos de configuraci\u00f3n de tareas para que acceda a un enlace con una URL Jenkins manipulada con fines maliciosos, lo que puede provocar que el cliente de Git de Jenkins env\u00ede el nombre de usuario y la contrase\u00f1a a un servidor controlado por el atacante."
    }
  ],
  "id": "CVE-2017-1000092",
  "lastModified": "2024-11-21T03:04:08.467",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-10-05T01:29:03.773",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100435"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2017-07-10/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100435"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2017-07-10/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2022-07-27 15:15

Modified

2024-11-21 07:13

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.

References

URL	Tags
jenkinsci-cert@googlegroups.com	http://www.openwall.com/lists/oss-security/2022/07/27/1	Mailing List, Third Party Advisory
jenkinsci-cert@googlegroups.com	https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/07/27/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	git	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "3CFA4D2B-B59E-406D-81B2-D1E91B0DABB9",
              "versionEndIncluding": "4.11.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository."
    },
    {
      "lang": "es",
      "value": "El endpoint de webhook en Jenkins Git Plugin versiones4.11.3 y anteriores, proporciona a atacantes no autenticados informaci\u00f3n sobre la existencia de trabajos configurados para usar un repositorio Git especificado por el atacante"
    }
  ],
  "id": "CVE-2022-36884",
  "lastModified": "2024-11-21T07:13:59.117",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-07-27T15:15:08.933",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2022-05-17 15:15

Modified

2024-11-21 07:03

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

References

URL	Tags
jenkinsci-cert@googlegroups.com	http://www.openwall.com/lists/oss-security/2022/05/17/8	Mailing List, Third Party Advisory
jenkinsci-cert@googlegroups.com	https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/05/17/8	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	git	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "FAAC4EAB-4E36-41EA-8F61-B057FF314BF3",
              "versionEndExcluding": "4.11.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents."
    },
    {
      "lang": "es",
      "value": "El Plugin Git de Jenkins versiones 4.11.1 y anteriores, permiten a atacantes configurar los pipelines para comprobar algunos repositorios SCM almacenados en el sistema de archivos del controlador de Jenkins usando rutas locales como URLs SCM, obteniendo informaci\u00f3n limitada sobre los contenidos SCM de otros proyectos"
    }
  ],
  "id": "CVE-2022-30947",
  "lastModified": "2024-11-21T07:03:36.643",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-05-17T15:15:08.797",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2021-10-06 23:15

Modified

2024-11-21 05:48

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

References

URL	Tags
jenkinsci-cert@googlegroups.com	http://www.openwall.com/lists/oss-security/2021/10/06/1	Mailing List, Third Party Advisory
jenkinsci-cert@googlegroups.com	https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/10/06/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	git	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "0FF494B4-1102-4B55-8842-6D07058B3D2D",
              "versionEndIncluding": "4.8.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability."
    },
    {
      "lang": "es",
      "value": "El plugin Git de Jenkins versiones 4.8.2 y anteriores, no escapa a los par\u00e1metros de suma de comprobaci\u00f3n Git SHA-1 proporcionados a las notificaciones de commit cuando se muestran en una causa de construcci\u00f3n, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado"
    }
  ],
  "id": "CVE-2021-21684",
  "lastModified": "2024-11-21T05:48:49.770",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-10-06T23:15:06.977",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/10/06/1"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/10/06/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-116"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2018-06-05 20:29

Modified

2024-11-21 03:39

Severity ?

6.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Summary

A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.

References

▼	URL	Tags
	cve@mitre.org	https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	git	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "BDF5AF94-D2B8-486D-B3FF-D3969481EC9E",
              "versionEndIncluding": "3.9.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad Server-Side Request Forgery en el plugin Git en versiones 3.9.0 y anteriores de Jenkins en AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java y ViewGitWeb.java que permite que los atacantes con acceso Overall/Read provoquen que Jenkins env\u00ede una petici\u00f3n GET a un URL espec\u00edfico."
    }
  ],
  "id": "CVE-2018-1000182",
  "lastModified": "2024-11-21T03:39:52.420",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-06-05T20:29:00.373",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2020-03-09 16:15

Modified

2024-11-21 05:24

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.

References

URL	Tags
jenkinsci-cert@googlegroups.com	http://www.openwall.com/lists/oss-security/2020/03/09/1	Third Party Advisory
jenkinsci-cert@googlegroups.com	https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2020/03/09/1	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	git	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "7A9FC34F-C4BB-4B16-A7D2-EE8D21C11A5C",
              "versionEndIncluding": "4.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability."
    },
    {
      "lang": "es",
      "value": "Jenkins Git Plugin versiones 4.2.0 y anteriores, no escapa al mensaje de error de la URL del repositorio para la comprobaci\u00f3n del formulario del campo TFS de Microsoft, resultando en una vulnerabilidad de tipo cross-site scripting almacenado."
    }
  ],
  "id": "CVE-2020-2136",
  "lastModified": "2024-11-21T05:24:45.417",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-03-09T16:15:12.797",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2022-08-23 17:15

Modified

2024-11-21 07:16

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.

References

URL	Tags
jenkinsci-cert@googlegroups.com	http://www.openwall.com/lists/oss-security/2022/08/23/2	Mailing List, Third Party Advisory
jenkinsci-cert@googlegroups.com	https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/08/23/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	git	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "B84845C4-EC33-466D-81C3-6F523B73B953",
              "versionEndIncluding": "4.11.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding."
    },
    {
      "lang": "es",
      "value": "Jenkins Git Plugin versiones 4.11.4 y anteriores, no enmascara apropiadamente (es decir, reemplaza con asteriscos) las credenciales en el registro de construcci\u00f3n proporcionado por el enlace de credenciales Git Username and Password (\"gitUsernamePassword\")."
    }
  ],
  "id": "CVE-2022-38663",
  "lastModified": "2024-11-21T07:16:53.420",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-08-23T17:15:15.257",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2022-07-27 15:15

Modified

2024-11-21 07:13

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

References

URL	Tags
jenkinsci-cert@googlegroups.com	http://www.openwall.com/lists/oss-security/2022/07/27/1	Mailing List, Third Party Advisory
jenkinsci-cert@googlegroups.com	https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/07/27/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	git	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "3CFA4D2B-B59E-406D-81B2-D1E91B0DABB9",
              "versionEndIncluding": "4.11.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit."
    },
    {
      "lang": "es",
      "value": "Una falta de comprobaci\u00f3n de permisos en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes no autenticados desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causarles una comprobaci\u00f3n de un commit especificado por el atacante"
    }
  ],
  "id": "CVE-2022-36883",
  "lastModified": "2024-11-21T07:13:58.903",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-07-27T15:15:08.880",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2019-02-06 16:29

Modified

2024-11-21 04:17

Severity ?

4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.

References

URL	Tags
jenkinsci-cert@googlegroups.com	https://access.redhat.com/errata/RHBA-2019:0326	Third Party Advisory
jenkinsci-cert@googlegroups.com	https://access.redhat.com/errata/RHBA-2019:0327	Third Party Advisory
jenkinsci-cert@googlegroups.com	https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHBA-2019:0326	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHBA-2019:0327	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	git	*
	redhat	openshift_container_platform	3.11

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "B94330EE-CB01-4B9B-960E-1B0C49E28026",
              "versionEndIncluding": "3.9.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad Cross-Site Request Forgery (CSRF) en Jenkins Git Plugin, en versiones 3.9.1 y anteriores, en src/main/java/hudson/plugins/git/GitTagAction.java, que permite que los atacantes creen una etiqueta Git en un espacio de trabajo y adjunten los metadatos correspondientes a un registro de builds."
    }
  ],
  "id": "CVE-2019-1003010",
  "lastModified": "2024-11-21T04:17:44.057",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-02-06T16:29:00.563",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHBA-2019:0326"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHBA-2019:0327"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHBA-2019:0326"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHBA-2019:0327"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

cve-2017-1000092

Vulnerability from cvelistv5

Published

2017-10-04 01:00

Modified

2024-08-05 21:53

Severity ?

Summary

Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/100435	vdb-entry, x_refsource_BID
	https://jenkins.io/security/advisory/2017-07-10/	x_refsource_CONFIRM

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T21:53:06.676Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "100435",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100435"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2017-07-10/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "dateAssigned": "2017-08-22T00:00:00",
      "datePublic": "2017-10-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-10-04T09:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "100435",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100435"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2017-07-10/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "DATE_ASSIGNED": "2017-08-22T17:29:33.312285",
          "ID": "CVE-2017-1000092",
          "REQUESTER": "ml@beckweb.net",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "100435",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100435"
            },
            {
              "name": "https://jenkins.io/security/advisory/2017-07-10/",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2017-07-10/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-1000092",
    "datePublished": "2017-10-04T01:00:00",
    "dateReserved": "2017-07-13T00:00:00",
    "dateUpdated": "2024-08-05T21:53:06.676Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-30947

Vulnerability from cvelistv5

Published

2022-05-17 14:06

Modified

2024-08-03 07:03

Severity ?

Summary

Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

References

▼	URL	Tags
	https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2022/05/17/8	mailing-list, x_refsource_MLIST

Impacted products

Vendor

Product

Version

▼

Jenkins project

Jenkins Git Plugin

Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:03:40.003Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
          },
          {
            "name": "[oss-security] 20220517 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Git Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "4.11.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "4.9.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T14:21:41.505Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
        },
        {
          "name": "[oss-security] 20220517 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2022-30947",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Git Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "4.11.1"
                          },
                          {
                            "version_affected": "!",
                            "version_value": "4.9.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478",
              "refsource": "CONFIRM",
              "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
            },
            {
              "name": "[oss-security] 20220517 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2022-30947",
    "datePublished": "2022-05-17T14:06:05",
    "dateReserved": "2022-05-16T00:00:00",
    "dateUpdated": "2024-08-03T07:03:40.003Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-36883

Vulnerability from cvelistv5

Published

2022-07-27 14:21

Modified

2024-08-03 10:14

Severity ?

Summary

A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

References

▼	URL	Tags
	https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2022/07/27/1	mailing-list, x_refsource_MLIST

Impacted products

Vendor

Product

Version

▼

Jenkins project

Jenkins Git Plugin

Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:14:28.862Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
          },
          {
            "name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Git Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "4.11.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "4.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T14:23:56.257Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
        },
        {
          "name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2022-36883",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Git Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "4.11.3"
                          },
                          {
                            "version_affected": "!",
                            "version_value": "4.9.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-862: Missing Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
              "refsource": "CONFIRM",
              "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
            },
            {
              "name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2022-36883",
    "datePublished": "2022-07-27T14:21:12",
    "dateReserved": "2022-07-27T00:00:00",
    "dateUpdated": "2024-08-03T10:14:28.862Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-36884

Vulnerability from cvelistv5

Published

2022-07-27 14:21

Modified

2024-08-03 10:14

Severity ?

Summary

The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.

References

▼	URL	Tags
	https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2022/07/27/1	mailing-list, x_refsource_MLIST

Impacted products

Vendor

Product

Version

▼

Jenkins project

Jenkins Git Plugin

Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:14:29.343Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
          },
          {
            "name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Git Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "4.11.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "4.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T14:23:57.408Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
        },
        {
          "name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2022-36884",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Git Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "4.11.3"
                          },
                          {
                            "version_affected": "!",
                            "version_value": "4.9.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
              "refsource": "CONFIRM",
              "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
            },
            {
              "name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2022-36884",
    "datePublished": "2022-07-27T14:21:25",
    "dateReserved": "2022-07-27T00:00:00",
    "dateUpdated": "2024-08-03T10:14:29.343Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-36882

Vulnerability from cvelistv5

Published

2022-07-27 14:20

Modified

2024-08-03 10:14

Severity ?

Summary

A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

References

▼	URL	Tags
	https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2022/07/27/1	mailing-list, x_refsource_MLIST

Impacted products

Vendor

Product

Version

▼

Jenkins project

Jenkins Git Plugin

Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:14:29.407Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
          },
          {
            "name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Git Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "4.11.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "4.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T14:23:55.063Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
        },
        {
          "name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2022-36882",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Git Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "4.11.3"
                          },
                          {
                            "version_affected": "!",
                            "version_value": "4.9.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352: Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
              "refsource": "CONFIRM",
              "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
            },
            {
              "name": "[oss-security] 20220727 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2022-36882",
    "datePublished": "2022-07-27T14:20:59",
    "dateReserved": "2022-07-27T00:00:00",
    "dateUpdated": "2024-08-03T10:14:29.407Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-1000110

Vulnerability from cvelistv5

Published

2018-03-13 13:00

Modified

2024-09-16 18:13

Severity ?

Summary

An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users.

References

▼	URL	Tags
	https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723	x_refsource_CONFIRM

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T12:33:49.330Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "dateAssigned": "2018-02-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-13T13:00:00Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "DATE_ASSIGNED": "2018-02-26",
          "ID": "CVE-2018-1000110",
          "REQUESTER": "ml@beckweb.net",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-1000110",
    "datePublished": "2018-03-13T13:00:00Z",
    "dateReserved": "2018-03-13T00:00:00Z",
    "dateUpdated": "2024-09-16T18:13:30.490Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2020-2136

Vulnerability from cvelistv5

Published

2020-03-09 15:00

Modified

2024-08-04 07:01

Severity ?

Summary

Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.

References

▼	URL	Tags
	https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2020/03/09/1	mailing-list, x_refsource_MLIST

Impacted products

Vendor

Product

Version

▼

Jenkins project

Jenkins Git Plugin

Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:01:40.826Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723"
          },
          {
            "name": "[oss-security] 20200309 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Git Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "4.2.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:05:36.638Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723"
        },
        {
          "name": "[oss-security] 20200309 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2020-2136",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Git Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "4.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723"
            },
            {
              "name": "[oss-security] 20200309 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2020-2136",
    "datePublished": "2020-03-09T15:00:57",
    "dateReserved": "2019-12-05T00:00:00",
    "dateUpdated": "2024-08-04T07:01:40.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-21684

Vulnerability from cvelistv5

Published

2021-10-06 22:10

Modified

2024-08-03 18:23

Severity ?

Summary

Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

References

▼	URL	Tags
	https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2021/10/06/1	mailing-list, x_refsource_MLIST

Impacted products

Vendor

Product

Version

▼

Jenkins project

Jenkins Git Plugin

Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:23:28.621Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499"
          },
          {
            "name": "[oss-security] 20211006 Multiple vulnerabilities in Jenkins and Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/10/06/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Git Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "4.8.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "4.7.1.1"
            },
            {
              "status": "unaffected",
              "version": "4.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T15:51:54.864Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499"
        },
        {
          "name": "[oss-security] 20211006 Multiple vulnerabilities in Jenkins and Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/10/06/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2021-21684",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Git Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "4.8.2"
                          },
                          {
                            "version_affected": "!",
                            "version_value": "4.7.1.1"
                          },
                          {
                            "version_affected": "!",
                            "version_value": "4.3.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499",
              "refsource": "CONFIRM",
              "url": "https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2499"
            },
            {
              "name": "[oss-security] 20211006 Multiple vulnerabilities in Jenkins and Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/10/06/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2021-21684",
    "datePublished": "2021-10-06T22:10:14",
    "dateReserved": "2021-01-04T00:00:00",
    "dateUpdated": "2024-08-03T18:23:28.621Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-1000182

Vulnerability from cvelistv5

Published

2018-06-05 20:00

Modified

2024-09-16 18:49

Severity ?

Summary

A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.

References

▼	URL	Tags
	https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810	x_refsource_CONFIRM

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T12:40:46.741Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "dateAssigned": "2018-06-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-05T20:00:00Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "DATE_ASSIGNED": "2018-06-05T12:46:01.938563",
          "DATE_REQUESTED": "2018-06-05T00:00:00",
          "ID": "CVE-2018-1000182",
          "REQUESTER": "ml@beckweb.net",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-1000182",
    "datePublished": "2018-06-05T20:00:00Z",
    "dateReserved": "2018-06-05T00:00:00Z",
    "dateUpdated": "2024-09-16T18:49:17.863Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-38663

Vulnerability from cvelistv5

Published

2022-08-23 16:45

Modified

2024-08-03 11:02

Severity ?

Summary

Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.

References

▼	URL	Tags
	https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2022/08/23/2	mailing-list, x_refsource_MLIST

Impacted products

Vendor

Product

Version

▼

Jenkins project

Jenkins Git Plugin

Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T11:02:14.161Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796"
          },
          {
            "name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Git Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "4.11.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "4.9.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T14:24:44.104Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796"
        },
        {
          "name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2022-38663",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Git Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "4.11.4"
                          },
                          {
                            "version_affected": "!",
                            "version_value": "4.9.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-522: Insufficiently Protected Credentials"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796",
              "refsource": "CONFIRM",
              "url": "https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796"
            },
            {
              "name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2022-38663",
    "datePublished": "2022-08-23T16:45:16",
    "dateReserved": "2022-08-22T00:00:00",
    "dateUpdated": "2024-08-03T11:02:14.161Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2019-1003010

Vulnerability from cvelistv5

Published

2019-02-06 16:00

Modified

2024-08-05 03:00

Severity ?

Summary

A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.

References

▼	URL	Tags
	https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHBA-2019:0326	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHBA-2019:0327	vendor-advisory, x_refsource_REDHAT

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:00:19.322Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095"
          },
          {
            "name": "RHBA-2019:0326",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHBA-2019:0326"
          },
          {
            "name": "RHBA-2019:0327",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHBA-2019:0327"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2019-01-28T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:44:41.742Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095"
        },
        {
          "name": "RHBA-2019:0326",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHBA-2019:0326"
        },
        {
          "name": "RHBA-2019:0327",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHBA-2019:0327"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2019-1003010",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1095"
            },
            {
              "name": "RHBA-2019:0326",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHBA-2019:0326"
            },
            {
              "name": "RHBA-2019:0327",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHBA-2019:0327"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2019-1003010",
    "datePublished": "2019-02-06T16:00:00",
    "dateReserved": "2019-02-06T00:00:00",
    "dateUpdated": "2024-08-05T03:00:19.322Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

All the vulnerabilites related to jenkins - git

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5

Vulnerability from cvelistv5