cve-2019-10354
Vulnerability from cvelistv5
Published
2019-07-17 15:45
Modified
2024-08-04 22:17
Severity
Summary
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.
References
Source | URL | Tags |
---|---|---|
jenkinsci-cert@googlegroups.com | http://www.openwall.com/lists/oss-security/2019/07/17/2 | Mailing List, Third Party Advisory |
jenkinsci-cert@googlegroups.com | http://www.securityfocus.com/bid/109373 | Third Party Advisory, VDB Entry |
jenkinsci-cert@googlegroups.com | https://access.redhat.com/errata/RHSA-2019:2503 | Third Party Advisory |
jenkinsci-cert@googlegroups.com | https://access.redhat.com/errata/RHSA-2019:2548 | Third Party Advisory |
jenkinsci-cert@googlegroups.com | https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534 | Vendor Advisory |
Impacted products
Vendor | Product |
---|---|
Jenkins project | Jenkins |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T22:17:20.331Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2" }, { "name": "109373", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/109373" }, { "name": "RHSA-2019:2503", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2503" }, { "name": "RHSA-2019:2548", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2548" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Jenkins", "vendor": "Jenkins project", "versions": [ { "status": "affected", "version": "2.185 and earlier, LTS 2.176.1 and earlier" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information." } ], "providerMetadata": { "dateUpdated": "2023-10-24T16:47:59.324Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2" }, { "name": "109373", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/109373" }, { "name": "RHSA-2019:2503", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2503" }, { "name": "RHSA-2019:2548", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2548" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-10354", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Jenkins", "version": { "version_data": [ { "version_value": "2.185 and earlier, LTS 2.176.1 and earlier" } ] } } ] }, "vendor_name": "Jenkins project" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-425" } ] } ] }, "references": { "reference_data": [ { "name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2" }, { "name": "109373", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109373" }, { "name": "RHSA-2019:2503", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2503" }, { "name": "RHSA-2019:2548", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2548" }, { "name": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534" } ] } } } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-10354", "datePublished": "2019-07-17T15:45:13", "dateReserved": "2019-03-29T00:00:00", "dateUpdated": "2024-08-04T22:17:20.331Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2019-10354\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2019-07-17T16:15:12.553\",\"lastModified\":\"2023-10-25T18:16:17.803\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en el framework web Stapler usado en Jenkins versiones 2.185 y anteriores, LTS versiones 2.176.1 y anteriores, ha permitido a los atacantes acceder directamente a los fragmentos de visualizaci\u00f3n, omitiendo las comprobaciones de permisos y posiblemente obtener informaci\u00f3n confidencial.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\",\"versionEndIncluding\":\"2.176.1\",\"matchCriteriaId\":\"36061F39-5E8A-4308-B032-CACA3D215495\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*\",\"versionEndIncluding\":\"2.185\",\"matchCriteriaId\":\"096D9B21-29B1-40BD-AF5E-0802664D9F9A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F87326E-0B56-4356-A889-73D026DB1D4B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2019/07/17/2\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/109373\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2503\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2548\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading...