cnvd - cnvd-2019-36104

cnvd-2019-36104

Vulnerability from cnvd

Title: CloudBees Jenkins Script Security Plugin信息泄露漏洞

Description:

CloudBees Jenkins（Hudson Labs）是美国CloudBees公司的一套基于Java开发的持续集成工具。该产品主要用于监控持续的软件版本发布、测试项目和一些定时执行的任务。Dependency Graph Viewer Plugin是使用在其中的一个依赖关系显示插件。

CloudBees Jenkins Script Security Plugin存在信息泄露漏洞，攻击者可利用该漏洞获取泄露的信息，进而恢复完整的密码。

Severity: 中

Patch Name: CloudBees Jenkins Script Security Plugin信息泄露漏洞的补丁

Patch Description:

CloudBees Jenkins Script Security Plugin存在信息泄露漏洞，攻击者可利用该漏洞获取泄露的信息，进而恢复完整的密码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://jenkins.io/security/advisory/2019-10-01/

Reference: https://jenkins.io/security/advisory/2019-10-01/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10431

Impacted products

Name
CloudBees Jenkins Script Security Plugin <=1.64

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-10431",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-10431"
    }
  },
  "description": "CloudBees Jenkins\uff08Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03\u3001\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002Dependency Graph Viewer Plugin\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2a\u4f9d\u8d56\u5173\u7cfb\u663e\u793a\u63d2\u4ef6\u3002\n\nCloudBees Jenkins Script Security Plugin\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6cc4\u9732\u7684\u4fe1\u606f\uff0c\u8fdb\u800c\u6062\u590d\u5b8c\u6574\u7684\u5bc6\u7801\u3002",
  "discovererName": "Daniel Beck",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://jenkins.io/security/advisory/2019-10-01/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-36104",
  "openTime": "2019-10-20",
  "patchDescription": "CloudBees Jenkins\uff08Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03\u3001\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002Dependency Graph Viewer Plugin\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2a\u4f9d\u8d56\u5173\u7cfb\u663e\u793a\u63d2\u4ef6\u3002\r\n\r\nCloudBees Jenkins Script Security Plugin\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6cc4\u9732\u7684\u4fe1\u606f\uff0c\u8fdb\u800c\u6062\u590d\u5b8c\u6574\u7684\u5bc6\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "CloudBees Jenkins Script Security Plugin\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "CloudBees Jenkins Script Security Plugin \u003c=1.64"
  },
  "referenceLink": "https://jenkins.io/security/advisory/2019-10-01/ \r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10431",
  "serverity": "\u4e2d",
  "submitTime": "2019-10-12",
  "title": "CloudBees Jenkins Script Security Plugin\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2019-10431 (GCVE-0-2019-10431)

Vulnerability from cvelistv5

Published

2019-10-01 13:45

Modified

2024-08-04 22:24

Severity ?

Summary

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.

References

▼	URL	Tags
	https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2019/10/01/2	mailing-list, x_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2019:4097	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:4055	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:4089	vendor-advisory, x_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	Jenkins project	Jenkins Script Security Plugin	Version: 1.64 and earlier

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:24:18.372Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579"
          },
          {
            "name": "[oss-security] 20191001 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/10/01/2"
          },
          {
            "name": "RHSA-2019:4097",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4097"
          },
          {
            "name": "RHSA-2019:4055",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4055"
          },
          {
            "name": "RHSA-2019:4089",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4089"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Script Security Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "status": "affected",
              "version": "1.64 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:49:30.101Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579"
        },
        {
          "name": "[oss-security] 20191001 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/10/01/2"
        },
        {
          "name": "RHSA-2019:4097",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4097"
        },
        {
          "name": "RHSA-2019:4055",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4055"
        },
        {
          "name": "RHSA-2019:4089",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4089"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2019-10431",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Script Security Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.64 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-265"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579"
            },
            {
              "name": "[oss-security] 20191001 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/10/01/2"
            },
            {
              "name": "RHSA-2019:4097",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4097"
            },
            {
              "name": "RHSA-2019:4055",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4055"
            },
            {
              "name": "RHSA-2019:4089",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4089"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2019-10431",
    "datePublished": "2019-10-01T13:45:19",
    "dateReserved": "2019-03-29T00:00:00",
    "dateUpdated": "2024-08-04T22:24:18.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted