CVE-2019-10354

Published: Jul 17, 2019Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.

Affected (4)

Products: Jenkins: Jenkins · Redhat: Openshift Container Platform

Jenkins

1 product

Jenkins

Redhat

1 product

Openshift Container Platform

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Up to 2.185
Jenkins Jenkins	Up to 2.176.1

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	Version 3.11
Redhat Openshift Container Platform	Version 4.1

Related CWEs

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (10)

http://www.openwall.com/lists/oss-security/2019/07/17/2

Source: jenkinsci-cert@googlegroups.com

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/109373

Source: jenkinsci-cert@googlegroups.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2019:2503

Source: jenkinsci-cert@googlegroups.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2548

Source: jenkinsci-cert@googlegroups.com

Third Party Advisory

https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

http://www.openwall.com/lists/oss-security/2019/07/17/2