CVE-2019-10357

Published: Jul 31, 2019Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.

Affected (3)

Products: Jenkins: Pipeline\ · Redhat: Openshift Container Platform

Jenkins

1 product

Pipeline\

Redhat

1 product

Openshift Container Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Pipeline\	Up to 2.14

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	Version 3.11
Redhat Openshift Container Platform	Version 4.1

Related CWEs

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (10)

http://www.openwall.com/lists/oss-security/2019/07/31/1

Source: jenkinsci-cert@googlegroups.com

Mailing ListThird Party Advisory

https://access.redhat.com/errata/RHSA-2019:2594

Source: jenkinsci-cert@googlegroups.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2651

Source: jenkinsci-cert@googlegroups.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2662

Source: jenkinsci-cert@googlegroups.com

Third Party Advisory

https://jenkins.io/security/advisory/2019-07-31/#SECURITY1422

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

http://www.openwall.com/lists/oss-security/2019/07/31/1