Vulnerability-Lookup

CNVD-2021-67500

Vulnerability from cnvd - Published: 2021-09-02

Title

CloudBees Jenkins Nomad Plugin信息泄露漏洞

Description

CloudBees Jenkins（Hudson Labs）是美国CloudBees公司的一套基于Java开发的持续集成工具。该产品主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。 CloudBees Jenkins Nomad Plugin 0.7.4及之前版本存在信息泄露漏洞。该漏洞源于程序将未加密的Docker密码存储在Jenkins控制器上的全局config.xml文件所致。攻击者可利用该漏洞查看这些密码信息。

Severity

低

Patch Name

CloudBees Jenkins Nomad Plugin信息泄露漏洞的补丁

Patch Description

Formal description

CloudBees已经为此发布了一个安全公告（2021-08-31）以及相应补丁: 2021-08-31：Jenkins Security Advisory 2021-08-31 链接：https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2376

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-21681

Impacted products

Name
CloudBees Jenkins Nomad Plugin <= 0.7.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21681",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21681"
    }
  },
  "description": "CloudBees Jenkins\uff08Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03/\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002\n\nCloudBees Jenkins Nomad Plugin 0.7.4\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5c06\u672a\u52a0\u5bc6\u7684Docker\u5bc6\u7801\u5b58\u50a8\u5728Jenkins\u63a7\u5236\u5668\u4e0a\u7684\u5168\u5c40config.xml\u6587\u4ef6\u6240\u81f4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u8fd9\u4e9b\u5bc6\u7801\u4fe1\u606f\u3002",
  "formalWay": "CloudBees\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff082021-08-31\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n2021-08-31\uff1aJenkins Security Advisory 2021-08-31\r\n\u94fe\u63a5\uff1ahttps://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2376",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-67500",
  "openTime": "2021-09-02",
  "patchDescription": "CloudBees Jenkins\uff08Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03/\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002\r\n\r\nCloudBees Jenkins Nomad Plugin 0.7.4\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5c06\u672a\u52a0\u5bc6\u7684Docker\u5bc6\u7801\u5b58\u50a8\u5728Jenkins\u63a7\u5236\u5668\u4e0a\u7684\u5168\u5c40config.xml\u6587\u4ef6\u6240\u81f4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u8fd9\u4e9b\u5bc6\u7801\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "CloudBees Jenkins Nomad Plugin\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "CloudBees Jenkins Nomad Plugin \u003c= 0.7.4"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-21681",
  "serverity": "\u4f4e",
  "submitTime": "2021-09-01",
  "title": "CloudBees Jenkins Nomad Plugin\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2021-21681 (GCVE-0-2021-21681)

Vulnerability from cvelistv5 – Published: 2021-08-31 13:50 – Updated: 2024-08-03 18:23

Summary

Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Severity ?

No CVSS data available.

Assigner

jenkins

References

URL

Tags

	https://www.jenkins.io/security/advisory/2021-08-…	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2021/08/31/1	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Jenkins project	Jenkins Nomad Plugin	Affected: unspecified , ≤ 0.7.4 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:23:29.264Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396"
          },
          {
            "name": "[oss-security] 20210831 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/08/31/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Nomad Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "0.7.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T15:51:51.419Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396"
        },
        {
          "name": "[oss-security] 20210831 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/08/31/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2021-21681",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Nomad Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "0.7.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-256: Plaintext Storage of a Password"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396",
              "refsource": "CONFIRM",
              "url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396"
            },
            {
              "name": "[oss-security] 20210831 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/08/31/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2021-21681",
    "datePublished": "2021-08-31T13:50:20.000Z",
    "dateReserved": "2021-01-04T00:00:00.000Z",
    "dateUpdated": "2024-08-03T18:23:29.264Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-67500

CVE-2021-21681 (GCVE-0-2021-21681)

Tags

Sightings

Nomenclature