CVE-2019-10362

Published: Jul 31, 2019Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

Affected (1)

Products: Jenkins: Configuration As Code

1 product

Configuration As Code

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Configuration As Code	Up to 1.24

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (4)

http://www.openwall.com/lists/oss-security/2019/07/31/1

Source: jenkinsci-cert@googlegroups.com

Mailing ListThird Party Advisory

https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1446

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

http://www.openwall.com/lists/oss-security/2019/07/31/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1446

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.