Configuration Interpolation Issue in Jenkins by CloudBees
CVE-2019-10362

5.4MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Configuration As Code Plugin
Vendor
CVE Published:
31 July 2019

Summary

The Jenkins Configuration as Code Plugin versions 1.24 and earlier have a flaw where values are not properly escaped during configuration imports. This action can lead to variable interpolation, enabling attackers with sufficient permissions to manipulate the Jenkins system configuration and unlawfully access sensitive environment variable data.

Affected Version(s)

Jenkins Configuration as Code Plugin 1.24 and earlier

References

http://www.openwall.com/lists/oss-security/2019/07/31/1
mailing-listx_refsource_MLIST
https://jenkins.io/security/advisory/2019-07-31/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.