cnvd - cnvd-2019-30409

cnvd-2019-30409

Vulnerability from cnvd

Title

CloudBees Jenkins FTP publisher Plugin授权问题漏洞

Description

CloudBees Jenkins（Hudson Labs）是美国CloudBees公司的一套基于Java开发的持续集成工具。该产品主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。FTP publisher Plugin是使用在其中的一个用于将项目发布到FTP中的插件。 CloudBees Jenkins FTP publisher Plugin存在授权问题漏洞，目前暂无详细的漏洞细节提供。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://jenkins.io/

Reference

http://www.securityfocus.com/bid/107790

Impacted products

Name
CloudBees Jenkins FTP publisher Plugin

Show details on source website

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "107790"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-1003059",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003059"
    }
  },
  "description": "CloudBees Jenkins\uff08Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03/\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002FTP publisher Plugin\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2a\u7528\u4e8e\u5c06\u9879\u76ee\u53d1\u5e03\u5230FTP\u4e2d\u7684\u63d2\u4ef6\u3002\n\nCloudBees Jenkins FTP publisher Plugin\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u76ee\u524d\u6682\u65e0\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "discovererName": "Viktor Gazdag",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://jenkins.io/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-30409",
  "openTime": "2019-09-02",
  "products": {
    "product": "CloudBees Jenkins FTP publisher Plugin"
  },
  "referenceLink": "http://www.securityfocus.com/bid/107790",
  "serverity": "\u4e2d",
  "submitTime": "2019-08-23",
  "title": "CloudBees Jenkins FTP publisher Plugin\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2019-1003059 (GCVE-0-2019-1003059)

Vulnerability from cvelistv5

Published

2019-04-04 15:38

Modified

2024-08-05 03:07

Severity ?

Summary

A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

References

URL

Tags

	http://www.securityfocus.com/bid/107790	vdb-entry, x_refsource_BID
	http://www.openwall.com/lists/oss-security/2019/04/12/2	mailing-list, x_refsource_MLIST
	https://jenkins.io/security/advisory/2019-04-03/#SECURITY-974	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Jenkins project	Jenkins FTP publisher Plugin	Version: all versions as of 2019-04-03

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:07:17.887Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "107790",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107790"
          },
          {
            "name": "[oss-security] 20190413 Re: Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-974"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins FTP publisher Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "status": "affected",
              "version": "all versions as of 2019-04-03"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:45:39.766Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "107790",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107790"
        },
        {
          "name": "[oss-security] 20190413 Re: Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-974"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2019-1003059",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins FTP publisher Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all versions as of 2019-04-03"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-285"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "107790",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107790"
            },
            {
              "name": "[oss-security] 20190413 Re: Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
            },
            {
              "name": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-974",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-974"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2019-1003059",
    "datePublished": "2019-04-04T15:38:48",
    "dateReserved": "2019-04-03T00:00:00",
    "dateUpdated": "2024-08-05T03:07:17.887Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.