Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14Nmp3LTJmMjMtbWM1as3mkg
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.
Permalink: https://github.com/advisories/GHSA-x6jw-2f23-mc5jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14Nmp3LTJmMjMtbWM1as3mkg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-x6jw-2f23-mc5j, CVE-2018-1000068
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000068
- https://jenkins.io/security/advisory/2018-02-14/#SECURITY-717
- https://www.oracle.com/security-alerts/cpuapr2022.html
- http://www.securityfocus.com/bid/103101
- https://github.com/jenkinsci/jenkins/commit/8830d68f5fe21f344be3496984bc4470bfcd0564
- https://github.com/advisories/GHSA-x6jw-2f23-mc5j
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.90, <= 2.106, <= 2.89.3Fixed in: 2.107, 2.89.4