Search
Find a vulnerability
Search criteria
8 vulnerabilities found for Jenkins iceScrum Plugin by Jenkins project
CVE-2024-28160 (GCVE-0-2024-28160)
Vulnerability from nvd – Published: 2024-03-06 17:02 – Updated: 2025-02-13 17:47
VLAI
EPSS
VEX
Summary
Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins Project | Jenkins iceScrum Plugin |
Affected:
0 , ≤ 1.1.6
(maven)
|
|
| jenkins | icescrum |
Affected:
0 , ≤ 1.1.6
(custom)
cpe:2.3:a:jenkins:icescrum:-:*:*:*:*:jenkins:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jenkins:icescrum:-:*:*:*:*:jenkins:*:*"
],
"defaultStatus": "unknown",
"product": "icescrum",
"vendor": "jenkins",
"versions": [
{
"lessThanOrEqual": "1.1.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T16:56:15.194078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T16:58:55.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Jenkins Security Advisory 2024-03-06",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Jenkins iceScrum Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThanOrEqual": "1.1.6",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs."
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:06:10.799Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2024-03-06",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2024-28160",
"datePublished": "2024-03-06T17:02:01.368Z",
"dateReserved": "2024-03-05T19:29:05.205Z",
"dateUpdated": "2025-02-13T17:47:24.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10443 (GCVE-0-2019-10443)
Vulnerability from nvd – Published: 2019-10-16 13:00 – Updated: 2024-08-04 22:24
VLAI
EPSS
VEX
Summary
Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
Severity
No CVSS data available.
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://jenkins.io/security/advisory/2019-10-16/#… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2019/10/16/6 | mailing-listx_refsource_MLIST |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins iceScrum Plugin |
Affected:
1.1.4 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:24:17.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1436"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-933/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins iceScrum Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "1.1.4 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:49:44.144Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1436"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-933/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2019-10443",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins iceScrum Plugin",
"version": {
"version_data": [
{
"version_value": "1.1.4 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-256"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1436",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1436"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-19-933/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-933/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-10443",
"datePublished": "2019-10-16T13:00:47.000Z",
"dateReserved": "2019-03-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:24:17.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10442 (GCVE-0-2019-10442)
Vulnerability from nvd – Published: 2019-10-16 13:00 – Updated: 2024-08-04 22:24
VLAI
EPSS
VEX
Summary
A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
Severity
No CVSS data available.
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://jenkins.io/security/advisory/2019-10-16/#… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2019/10/16/6 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins iceScrum Plugin |
Affected:
1.1.5 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:24:18.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins iceScrum Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "1.1.5 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:49:42.965Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2019-10442",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins iceScrum Plugin",
"version": {
"version_data": [
{
"version_value": "1.1.5 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-10442",
"datePublished": "2019-10-16T13:00:47.000Z",
"dateReserved": "2019-03-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:24:18.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10441 (GCVE-0-2019-10441)
Vulnerability from nvd – Published: 2019-10-16 13:00 – Updated: 2024-08-04 22:24
VLAI
EPSS
VEX
Summary
A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jenkins.io/security/advisory/2019-10-16/#… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins iceScrum Plugin |
Affected:
1.1.5 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:24:18.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins iceScrum Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "1.1.5 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:49:41.826Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2019-10441",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins iceScrum Plugin",
"version": {
"version_data": [
{
"version_value": "1.1.5 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-10441",
"datePublished": "2019-10-16T13:00:46.000Z",
"dateReserved": "2019-03-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:24:18.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28160 (GCVE-0-2024-28160)
Vulnerability from cvelistv5 – Published: 2024-03-06 17:02 – Updated: 2025-02-13 17:47
VLAI
EPSS
VEX
Summary
Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins Project | Jenkins iceScrum Plugin |
Affected:
0 , ≤ 1.1.6
(maven)
|
|
| jenkins | icescrum |
Affected:
0 , ≤ 1.1.6
(custom)
cpe:2.3:a:jenkins:icescrum:-:*:*:*:*:jenkins:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jenkins:icescrum:-:*:*:*:*:jenkins:*:*"
],
"defaultStatus": "unknown",
"product": "icescrum",
"vendor": "jenkins",
"versions": [
{
"lessThanOrEqual": "1.1.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T16:56:15.194078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T16:58:55.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Jenkins Security Advisory 2024-03-06",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Jenkins iceScrum Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThanOrEqual": "1.1.6",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs."
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:06:10.799Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2024-03-06",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2024-28160",
"datePublished": "2024-03-06T17:02:01.368Z",
"dateReserved": "2024-03-05T19:29:05.205Z",
"dateUpdated": "2025-02-13T17:47:24.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10442 (GCVE-0-2019-10442)
Vulnerability from cvelistv5 – Published: 2019-10-16 13:00 – Updated: 2024-08-04 22:24
VLAI
EPSS
VEX
Summary
A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
Severity
No CVSS data available.
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://jenkins.io/security/advisory/2019-10-16/#… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2019/10/16/6 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins iceScrum Plugin |
Affected:
1.1.5 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:24:18.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins iceScrum Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "1.1.5 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:49:42.965Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2019-10442",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins iceScrum Plugin",
"version": {
"version_data": [
{
"version_value": "1.1.5 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A missing permission check in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-10442",
"datePublished": "2019-10-16T13:00:47.000Z",
"dateReserved": "2019-03-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:24:18.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10443 (GCVE-0-2019-10443)
Vulnerability from cvelistv5 – Published: 2019-10-16 13:00 – Updated: 2024-08-04 22:24
VLAI
EPSS
VEX
Summary
Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
Severity
No CVSS data available.
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://jenkins.io/security/advisory/2019-10-16/#… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2019/10/16/6 | mailing-listx_refsource_MLIST |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins iceScrum Plugin |
Affected:
1.1.4 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:24:17.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1436"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-933/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins iceScrum Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "1.1.4 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:49:44.144Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1436"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-933/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2019-10443",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins iceScrum Plugin",
"version": {
"version_data": [
{
"version_value": "1.1.4 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-256"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1436",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1436"
},
{
"name": "[oss-security] 20191016 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-19-933/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-933/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-10443",
"datePublished": "2019-10-16T13:00:47.000Z",
"dateReserved": "2019-03-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:24:17.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10441 (GCVE-0-2019-10441)
Vulnerability from cvelistv5 – Published: 2019-10-16 13:00 – Updated: 2024-08-04 22:24
VLAI
EPSS
VEX
Summary
A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jenkins.io/security/advisory/2019-10-16/#… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins iceScrum Plugin |
Affected:
1.1.5 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:24:18.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins iceScrum Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "affected",
"version": "1.1.5 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:49:41.826Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2019-10441",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins iceScrum Plugin",
"version": {
"version_data": [
{
"version_value": "1.1.5 and earlier"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site request forgery vulnerability in Jenkins iceScrum Plugin 1.1.5 and earlier allowed attackers to connect to an attacker-specified URL using attacker-specified credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484",
"refsource": "CONFIRM",
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1484"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2019-10441",
"datePublished": "2019-10-16T13:00:46.000Z",
"dateReserved": "2019-03-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:24:18.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}