ID CVE-2019-16541
Summary Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope.
References
Vulnerable Configurations
  • cpe:2.3:a:jenkins:jira:1.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.6:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.7:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.7:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.8:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.8:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.9:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.9:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.10:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.10:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.11:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.11:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.12:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.12:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.13:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.13:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.15:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.15:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.16:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.16:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.17:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.17:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.18:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.18:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.19:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.19:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.20:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.20:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.21:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.21:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.22:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.22:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.23:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.23:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.24:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.24:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.25:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.25:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.26:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.26:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.27:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.27:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.28:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.28:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.29:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.29:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.30:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.30:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.31:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.31:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.32:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.32:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.33:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.33:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.34:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.34:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.35:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.35:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.36:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.36:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.37:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.37:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.38:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.38:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.39:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.39:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.40:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.40:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:1.41:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:1.41:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.0.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.0.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.0.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.0.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.0.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.0.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.2.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.2.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.3.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.3.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.4.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.4.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.5.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.5.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:2.5.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:2.5.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.6:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.7:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.7:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.8:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.8:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.9:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.9:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:jira:3.0.10:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:jira:3.0.10:*:*:*:*:jenkins:*:*
CVSS
Base: 6.5 (as of 03-12-2019 - 17:36)
Impact:
Exploitability:
CWE CWE-668
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
redhat via4
rpms
  • jenkins-0:2.235.2.1597220898-1.el7
  • jenkins-2-plugins-0:3.11.1597310986-1.el7
  • openshift-ansible-0:3.11.272-1.git.0.79ab6e9.el7
  • openshift-ansible-docs-0:3.11.272-1.git.0.79ab6e9.el7
  • openshift-ansible-playbooks-0:3.11.272-1.git.0.79ab6e9.el7
  • openshift-ansible-roles-0:3.11.272-1.git.0.79ab6e9.el7
  • openshift-ansible-test-0:3.11.272-1.git.0.79ab6e9.el7
  • python2-rsa-0:4.5-2.el7
  • containers-common-1:1.1.1-2.rhaos4.6.el8
  • jenkins-2-plugins-0:4.6.1601368321-1.el8
  • openshift-clients-0:4.6.0-202010081244.p0.git.3794.4743d24.el7
  • openshift-clients-0:4.6.0-202010081244.p0.git.3794.4743d24.el8
  • openshift-clients-redistributable-0:4.6.0-202010081244.p0.git.3794.4743d24.el7
  • openshift-clients-redistributable-0:4.6.0-202010081244.p0.git.3794.4743d24.el8
  • podman-0:1.9.3-3.rhaos4.6.el8
  • podman-debuginfo-0:1.9.3-3.rhaos4.6.el8
  • podman-debugsource-0:1.9.3-3.rhaos4.6.el8
  • podman-docker-0:1.9.3-3.rhaos4.6.el8
  • podman-remote-0:1.9.3-3.rhaos4.6.el8
  • podman-remote-debuginfo-0:1.9.3-3.rhaos4.6.el8
  • podman-tests-0:1.9.3-3.rhaos4.6.el8
  • runc-0:1.0.0-81.rhaos4.6.git5b757d4.el7
  • runc-0:1.0.0-81.rhaos4.6.git5b757d4.el8
  • runc-debuginfo-0:1.0.0-81.rhaos4.6.git5b757d4.el7
  • runc-debuginfo-0:1.0.0-81.rhaos4.6.git5b757d4.el8
  • runc-debugsource-0:1.0.0-81.rhaos4.6.git5b757d4.el8
  • skopeo-1:1.1.1-2.rhaos4.6.el8
  • skopeo-debuginfo-1:1.1.1-2.rhaos4.6.el8
  • skopeo-debugsource-1:1.1.1-2.rhaos4.6.el8
  • skopeo-tests-1:1.1.1-2.rhaos4.6.el8
refmap via4
confirm https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1106
mlist [oss-security] 20191121 Multiple vulnerabilities in Jenkins plugins
Last major update 03-12-2019 - 17:36
Published 21-11-2019 - 15:15
Last modified 03-12-2019 - 17:36
Back to Top