CVE-2019-10320 - OpenCVE

Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Credentials

Configuration 1 [-]

cpe:2.3:a:jenkins:credentials:*:*:*:*:*:jenkins:*:*

References

Link	Resource
http://seclists.org/fulldisclosure/2019/May/39
http://www.openwall.com/lists/oss-security/2019/05/21/1
http://www.securityfocus.com/bid/108462
https://access.redhat.com/errata/RHBA-2019:1605
https://access.redhat.com/errata/RHSA-2019:1636
https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322	Mitigation Vendor Advisory
https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jenkins

Published: 2019-05-21T13:00:22

Updated: 2023-10-24T16:47:19.215Z

Reserved: 2019-03-29T00:00:00

Link: CVE-2019-10320

JSON object: View

NVD Information

Status : Modified

Published: 2019-05-21T13:29:00.397

Modified: 2023-10-25T18:16:15.567

Link: CVE-2019-10320

JSON object: View

Redhat Information

No data.

CWE

CWE-538

{"containers": {"cna": {"affected": [{"product": "Jenkins Credentials Plugin", "vendor": "Jenkins project", "versions": [{"status": "affected", "version": "2.1.18 and earlier"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:47:19.215Z"}, "references": [{"name": "[oss-security] 20190521 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/05/21/1"}, {"name": "20190524 Exploring the File System via Jenkins Credentials Plugin Vulnerability - CVE-2019-10320", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/May/39"}, {"name": "108462", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108462"}, {"tags": ["x_refsource_MISC"], "url": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/"}, {"name": "RHBA-2019:1605", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHBA-2019:1605"}, {"name": "RHSA-2019:1636", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1636"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-10320", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Credentials Plugin", "version": {"version_data": [{"version_value": "2.1.18 and earlier"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20190521 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/05/21/1"}, {"name": "20190524 Exploring the File System via Jenkins Credentials Plugin Vulnerability - CVE-2019-10320", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/May/39"}, {"name": "108462", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108462"}, {"name": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/", "refsource": "MISC", "url": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/"}, {"name": "RHBA-2019:1605", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHBA-2019:1605"}, {"name": "RHSA-2019:1636", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1636"}, {"name": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322"}]}}}}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-10320", "datePublished": "2019-05-21T13:00:22", "dateReserved": "2019-03-29T00:00:00", "dateUpdated": "2023-10-24T16:47:19.215Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:credentials:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "1C0AE498-26FD-4F65-AE42-C8A5934C93F3", "versionEndIncluding": "2.1.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate."}, {"lang": "es", "value": "Jenkins Credentials Plugin 2.1.18 y versiones anteriores permitieron a los usuarios con permiso crear o actualizar credenciales para confirmar la existencia de archivos en el maestro Jenkins con una attacker-specified path y obtener el contenido del certificado de los archivos que contienen un PKCS # 12 certificate."}], "id": "CVE-2019-10320", "lastModified": "2023-10-25T18:16:15.567", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-21T13:29:00.397", "references": [{"source": "jenkinsci-cert@googlegroups.com", "url": "http://seclists.org/fulldisclosure/2019/May/39"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "http://www.openwall.com/lists/oss-security/2019/05/21/1"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "http://www.securityfocus.com/bid/108462"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "https://access.redhat.com/errata/RHBA-2019:1605"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "https://access.redhat.com/errata/RHSA-2019:1636"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-538"}], "source": "nvd@nist.gov", "type": "Primary"}]}