cnvd - cnvd-2019-42813

CNVD-2019-42813

Vulnerability from cnvd - Published: 2019-11-29

Title

CloudBees Jenkins ElasticBox CI Plugin存在未明漏洞

Description

CloudBees Jenkins（Hudson Labs）是美国CloudBees公司的一套基于Java开发的持续集成工具。该产品主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。ElasticBox CI Plugin是使用在其中的一个通过Cloud Application Manager在不同的云提供商中按需启动、配置和管理Jenkins从属的插件。 CloudBees Jenkins ElasticBox CI Plugin存在未明漏洞，该漏洞源于程序将明文形式的凭证存储在Jenkins master上的config.xml全局配置文件中。攻击者可利用该漏洞查看凭证。

Severity

低

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://jenkins.io/

Reference

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1434

Impacted products

Name
CloudBees Jenkins ElasticBox CI Plugin

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-10450",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-10450"
    }
  },
  "description": "CloudBees Jenkins\uff08Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03/\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002ElasticBox CI Plugin\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2a\u901a\u8fc7Cloud Application Manager\u5728\u4e0d\u540c\u7684\u4e91\u63d0\u4f9b\u5546\u4e2d\u6309\u9700\u542f\u52a8\u3001\u914d\u7f6e\u548c\u7ba1\u7406Jenkins\u4ece\u5c5e\u7684\u63d2\u4ef6\u3002\n\nCloudBees Jenkins ElasticBox CI Plugin\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5c06\u660e\u6587\u5f62\u5f0f\u7684\u51ed\u8bc1\u5b58\u50a8\u5728Jenkins master\u4e0a\u7684config.xml\u5168\u5c40\u914d\u7f6e\u6587\u4ef6\u4e2d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u51ed\u8bc1\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://jenkins.io/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-42813",
  "openTime": "2019-11-29",
  "products": {
    "product": "CloudBees Jenkins ElasticBox CI Plugin"
  },
  "referenceLink": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1434",
  "serverity": "\u4f4e",
  "submitTime": "2019-10-23",
  "title": "CloudBees Jenkins ElasticBox CI Plugin\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2019-10450 (GCVE-0-2019-10450)

Vulnerability from cvelistv5 – Published: 2019-10-16 13:00 – Updated: 2024-08-04 22:24

Summary

Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Severity ?

No CVSS data available.

Assigner

jenkins

References

URL

Tags

https://jenkins.io/security/advisory/2019-10-16/#…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Jenkins project	Jenkins ElasticBox CI Plugin	Affected: 5.0.1 and earlier

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:24:18.579Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1434"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins ElasticBox CI Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "status": "affected",
              "version": "5.0.1 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:49:52.469Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1434"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2019-10450",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins ElasticBox CI Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.0.1 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-256"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1434",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1434"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2019-10450",
    "datePublished": "2019-10-16T13:00:51",
    "dateReserved": "2019-03-29T00:00:00",
    "dateUpdated": "2024-08-04T22:24:18.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-42813

CVE-2019-10450 (GCVE-0-2019-10450)

Tags

Sightings

Nomenclature