gsd-2022-30948
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-30948",
"description": "Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents.",
"id": "GSD-2022-30948",
"references": [
"https://access.redhat.com/errata/RHSA-2023:0017"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-30948"
],
"details": "Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents.",
"id": "GSD-2022-30948",
"modified": "2023-12-13T01:19:37.379705Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2022-30948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Mercurial Plugin",
"version": {
"version_data": [
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"lessThanOrEqual": "2.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2.15.1"
}
]
}
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478",
"refsource": "MISC",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
},
{
"name": "http://www.openwall.com/lists/oss-security/2022/05/17/8",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,4.11.1]",
"affected_versions": "All versions up to 4.11.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-05-26",
"description": "Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents.",
"fixed_versions": [
"4.11.2"
],
"identifier": "CVE-2022-30948",
"identifiers": [
"CVE-2022-30948"
],
"not_impacted": "All versions after 4.11.1",
"package_slug": "maven/org.jenkins-ci.plugins/git",
"pubdate": "2022-05-17",
"solution": "Upgrade to version 4.11.2 or above.",
"title": "Exposure of Sensitive Information",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-30948",
"http://www.openwall.com/lists/oss-security/2022/05/17/8",
"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
],
"uuid": "363d237a-3a78-4c73-b3f4-e12103f204c7"
},
{
"affected_range": "(,2.16]",
"affected_versions": "All versions up to 2.16",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937",
"CWE-688"
],
"date": "2022-05-26",
"description": "Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents.",
"fixed_versions": [
"2.16.1"
],
"identifier": "CVE-2022-30948",
"identifiers": [
"CVE-2022-30948"
],
"not_impacted": "All versions starting from 2.16.1",
"package_slug": "maven/org.jenkins-ci.plugins/mercurial",
"pubdate": "2022-05-17",
"solution": "Upgrade to version 2.16.1 or above.",
"title": "Exposure of Resource to Wrong Sphere",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-30948",
"http://www.openwall.com/lists/oss-security/2022/05/17/8",
"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
],
"uuid": "99bef276-4465-492b-bfc1-6df4f8b32e08"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:jenkins:mercurial:*:*:*:*:*:jenkins:*:*",
"cpe_name": [],
"versionEndExcluding": "2.16.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2022-30948"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20220517 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
},
{
"name": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-11-03T18:19Z",
"publishedDate": "2022-05-17T15:15Z"
}
}
}
Loading...