CVE-2014-3667 - OpenCVE

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Jenkins
Redhat	Openshift

Configuration 1 [-]

cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*

Configuration 2 [-]

cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2016:0070
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2014-10-16T19:00:00

Updated: 2016-06-09T16:57:01

Reserved: 2014-05-14T00:00:00

Link: CVE-2014-3667

JSON object: View

NVD Information

Status : Modified

Published: 2014-10-16T19:55:08.097

Modified: 2023-02-13T00:41:44.470

Link: CVE-2014-3667

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "0A492A49-052F-4CD5-AE7E-AF8A6B3E1B2D", "versionEndIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*", "matchCriteriaId": "322F4274-7351-40C4-8D8E-8E26B89AA95C", "versionEndIncluding": "1.582", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "1BA9E2A3-6D74-4DC8-846F-FCF5C5BE562B", "versionEndIncluding": "1.565.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code."}, {"lang": "es", "value": "Jenkins en versiones anteriores a 1.583 y LTS en versiones anteriores a 1.565.3 no previene adecuadamente la descarga de plugins, lo que permite a usuarios remotos autenticados con el permiso Overall/READ obtener informaci\u00f3n sensible leyendo el c\u00f3digo del plugin."}], "id": "CVE-2014-3667", "lastModified": "2023-02-13T00:41:44.470", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-16T19:55:08.097", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2016:0070"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}