All the vulnerabilites related to Jenkins project - Jenkins OctopusDeploy Plugin
cve-2019-1003027
Vulnerability from cvelistv5
Published
2019-02-20 21:00
Modified
2024-08-05 03:00
Severity ?
EPSS score ?
Summary
A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jenkins.io/security/advisory/2019-02-19/#SECURITY-817 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/107295 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Jenkins project | Jenkins OctopusDeploy Plugin |
Version: 1.8.1 and earlier |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.287Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-817"
},
{
"name": "107295",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107295"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins OctopusDeploy Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "1.8.1 and earlier"
}
]
}
],
"dateAssigned": "2019-02-19T00:00:00",
"datePublic": "2019-02-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:45:01.553Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-817"
},
{
"name": "107295",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107295"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"DATE_ASSIGNED": "2019-02-19T22:20:51.848292",
"ID": "CVE-2019-1003027",
"REQUESTER": "ml@beckweb.net",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins OctopusDeploy Plugin",
"version": {
"version_data": [
{
"version_value": "1.8.1 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins connect to an attacker-specified URL and obtain the HTTP response code if successful, and exception error message otherwise."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-441, CWE-918, CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-817",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-02-19/#SECURITY-817"
},
{
"name": "107295",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107295"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-1003027",
"datePublished": "2019-02-20T21:00:00",
"dateReserved": "2019-02-20T00:00:00",
"dateUpdated": "2024-08-05T03:00:19.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-1003071
Vulnerability from cvelistv5
Published
2019-04-04 15:38
Modified
2024-08-05 03:07
Severity ?
EPSS score ?
Summary
Jenkins OctopusDeploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/107790 | vdb-entry, x_refsource_BID | |
| http://www.openwall.com/lists/oss-security/2019/04/12/2 | mailing-list, x_refsource_MLIST | |
| https://jenkins.io/security/advisory/2019-04-03/#SECURITY-957 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Jenkins project | Jenkins OctopusDeploy Plugin |
Version: all versions as of 2019-04-03 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:07:17.836Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "107790",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107790"
},
{
"name": "[oss-security] 20190413 Re: Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-957"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins OctopusDeploy Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "all versions as of 2019-04-03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins OctopusDeploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:45:53.911Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "107790",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107790"
},
{
"name": "[oss-security] 20190413 Re: Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-957"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2019-1003071",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins OctopusDeploy Plugin",
"version": {
"version_data": [
{
"version_value": "all versions as of 2019-04-03"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins OctopusDeploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-256"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "107790",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107790"
},
{
"name": "[oss-security] 20190413 Re: Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
},
{
"name": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-957",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-957"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-1003071",
"datePublished": "2019-04-04T15:38:48",
"dateReserved": "2019-04-03T00:00:00",
"dateUpdated": "2024-08-05T03:07:17.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}