CVE-2019-1010241 - OpenCVE

Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Credentials Binding

Configuration 1 [-]

cpe:2.3:a:jenkins:credentials_binding:1.17:*:*:*:*:jenkins:*:*

References

Link	Resource
http://www.securityfocus.com/bid/109320	Third Party Advisory VDB Entry
https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-19T16:36:02

Updated: 2019-07-26T07:06:04

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010241

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-07-19T17:15:11.877

Modified: 2020-09-30T13:40:29.600

Link: CVE-2019-1010241

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "Jenkins Credentials Binding Plugin", "versions": [{"status": "affected", "version": "1.17"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-257", "description": "CWE-257: Storing Passwords in a Recoverable Format", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-07-26T07:06:04", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing"}, {"name": "109320", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/109320"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010241", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_value": "1.17"}]}}]}, "vendor_name": "Jenkins Credentials Binding Plugin"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-257: Storing Passwords in a Recoverable Format"}]}]}, "references": {"reference_data": [{"name": "https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing", "refsource": "MISC", "url": "https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing"}, {"name": "109320", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109320"}]}}}}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010241", "datePublished": "2019-07-19T16:36:02", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2019-07-26T07:06:04", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:credentials_binding:1.17:*:*:*:*:jenkins:*:*", "matchCriteriaId": "4A48CF1E-58E9-49ED-89AF-32D0987D03DD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job."}, {"lang": "es", "value": "El plugin Credentials Binding versi\u00f3n 1.17 de Jenkins, est\u00e1 afectado por: CWE-257: Almacenamiento de Contrase\u00f1as en un Formato Recuperable. El impacto es: los usuarios autenticados pueden recuperar credenciales. El componente es: archivo config-variables.jelly line # 30 (passwordVariable). El vector de ataque es: El atacante crea y ejecuta un trabajo de Jenkins."}], "id": "CVE-2019-1010241", "lastModified": "2020-09-30T13:40:29.600", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-19T17:15:11.877", "references": [{"source": "josh@bress.net", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/109320"}, {"source": "josh@bress.net", "tags": ["Exploit", "Third Party Advisory"], "url": "https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-257"}], "source": "josh@bress.net", "type": "Secondary"}]}