Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02amZjLW1jOTctYzd3Z84AAhUt
Missing Authorization in Jenkins
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.
Permalink: https://github.com/advisories/GHSA-6jfc-mc97-c7wgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02amZjLW1jOTctYzd3Z84AAhUt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-6jfc-mc97-c7wg, CVE-2019-10354
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10354
- https://access.redhat.com/errata/RHSA-2019:2503
- https://access.redhat.com/errata/RHSA-2019:2548
- https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534
- http://www.openwall.com/lists/oss-security/2019/07/17/2
- https://github.com/jenkinsci/jenkins/commit/279d8109eddb7a494428baf25af9756c2e33576b
- https://github.com/jenkinsci/stapler/commit/19637555a9f32d3875356b47234131d8b1e9fee4
- https://github.com/advisories/GHSA-6jfc-mc97-c7wg
Blast Radius: 1.0
Affected Packages
maven:org.kohsuke.stapler:stapler-parent
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.257.1
Fixed in: 1.257.1
All affected versions:
All unaffected versions:
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.177, <= 2.185, <= 2.176.1Fixed in: 2.186, 2.176.2