Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14bTk0LTlqdzgtcDZod84AAgwI
Insertion of Sensitive Information into Externally-Accessible File or Directory in Jenkins Credentials Plugin
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.
Permalink: https://github.com/advisories/GHSA-xm94-9jw8-p6hwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14bTk0LTlqdzgtcDZod84AAgwI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-xm94-9jw8-p6hw, CVE-2019-10320
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10320
- https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322
- http://www.openwall.com/lists/oss-security/2019/05/21/1
- https://access.redhat.com/errata/RHBA-2019:1605
- https://access.redhat.com/errata/RHSA-2019:1636
- https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/
- http://seclists.org/fulldisclosure/2019/May/39
- http://www.securityfocus.com/bid/108462
- https://github.com/jenkinsci/credentials-plugin/commit/40d0b5cc53c265b601ffaa4469310fad390a80fb
- https://github.com/advisories/GHSA-xm94-9jw8-p6hw
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:credentials
Affected Version Ranges: <= 2.1.18Fixed in: 2.1.19