Vulnerability-Lookup

CVE-2019-1003087 (GCVE-0-2019-1003087)

Vulnerability from cvelistv5 – Published: 2019-04-04 15:38 – Updated: 2024-08-05 03:07

Summary

A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.

Severity ?

No CVSS data available.

Assigner

jenkins

References

3 references

URL	Tags
http://www.securityfocus.com/bid/107790	vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2019/04/12/2	mailing-listx_refsource_MLIST
https://jenkins.io/security/advisory/2019-04-03/#…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Jenkins project	Jenkins Chef Sinatra Plugin	Affected: all versions as of 2019-04-03

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:07:18.269Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "107790",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107790"
          },
          {
            "name": "[oss-security] 20190413 Re: Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Chef Sinatra Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "status": "affected",
              "version": "all versions as of 2019-04-03"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:46:12.999Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "107790",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107790"
        },
        {
          "name": "[oss-security] 20190413 Re: Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2019-1003087",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Chef Sinatra Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all versions as of 2019-04-03"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-285"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "107790",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107790"
            },
            {
              "name": "[oss-security] 20190413 Re: Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
            },
            {
              "name": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2019-1003087",
    "datePublished": "2019-04-04T15:38:49.000Z",
    "dateReserved": "2019-04-03T00:00:00.000Z",
    "dateUpdated": "2024-08-05T03:07:18.269Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2019-1003087",
      "date": "2026-05-24",
      "epss": "0.00069",
      "percentile": "0.21091"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-1003087\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2019-04-04T16:29:01.757\",\"lastModified\":\"2024-11-21T04:17:52.987\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.\"},{\"lang\":\"es\",\"value\":\"El plugin Upload to pgyer de Jenkins almacena credenciales sin cifrar en archivos config.xml de tareas en el servidor maestro de Jenkins donde las credenciales pueden ser visualizadas por los usuarios con permisos de lectura extendidos o con acceso al sistema de archivos maestro.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:chef_sinatra:*:*:*:*:*:jenkins:*:*\",\"versionEndIncluding\":\"1.2\",\"matchCriteriaId\":\"76C38ADD-A701-42D3-9882-F88E117F0DB1\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2019/04/12/2\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/107790\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/04/12/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/107790\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2019-30403

Vulnerability from cnvd - Published: 2019-09-02

Title

CloudBees Jenkins Chef Sinatra Plugin授权问题漏洞

Description

CloudBees Jenkins（Hudson Labs）是美国CloudBees公司的一套基于Java开发的持续集成工具。该产品主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。Chef Sinatra Plugin是使用在其中的一个在Sinatra应用程序为特定包准备好所有已分配节点时自动部署代码的插件。 CloudBees Jenkins Chef Sinatra Plugin存在授权问题漏洞，具有总权限/读取权限的攻击者可利用该漏洞启动指定服务器的连接。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://jenkins.io/

Reference

http://www.securityfocus.com/bid/107790

Impacted products

Name
CloudBees Jenkins Chef Sinatra Plugin

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "107790"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-1003087",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003087"
    }
  },
  "description": "CloudBees Jenkins\uff08Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03/\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002Chef Sinatra Plugin\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2a\u5728Sinatra\u5e94\u7528\u7a0b\u5e8f\u4e3a\u7279\u5b9a\u5305\u51c6\u5907\u597d\u6240\u6709\u5df2\u5206\u914d\u8282\u70b9\u65f6\u81ea\u52a8\u90e8\u7f72\u4ee3\u7801\u7684\u63d2\u4ef6\u3002\n\nCloudBees Jenkins Chef Sinatra Plugin\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u5177\u6709\u603b\u6743\u9650/\u8bfb\u53d6\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u542f\u52a8\u6307\u5b9a\u670d\u52a1\u5668\u7684\u8fde\u63a5\u3002",
  "discovererName": "Viktor Gazdag",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://jenkins.io/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-30403",
  "openTime": "2019-09-02",
  "products": {
    "product": "CloudBees Jenkins Chef Sinatra Plugin"
  },
  "referenceLink": "http://www.securityfocus.com/bid/107790",
  "serverity": "\u4e2d",
  "submitTime": "2019-08-23",
  "title": "CloudBees Jenkins Chef Sinatra Plugin\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

FKIE_CVE-2019-1003087

Vulnerability from fkie_nvd - Published: 2019-04-04 16:29 - Updated: 2024-11-21 04:17

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
jenkinsci-cert@googlegroups.com	http://www.openwall.com/lists/oss-security/2019/04/12/2	Mailing List, Third Party Advisory
jenkinsci-cert@googlegroups.com	http://www.securityfocus.com/bid/107790	Third Party Advisory, VDB Entry
jenkinsci-cert@googlegroups.com	https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2019/04/12/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/107790	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	chef_sinatra	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:chef_sinatra:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "76C38ADD-A701-42D3-9882-F88E117F0DB1",
              "versionEndIncluding": "1.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server."
    },
    {
      "lang": "es",
      "value": "El plugin Upload to pgyer de Jenkins almacena credenciales sin cifrar en archivos config.xml de tareas en el servidor maestro de Jenkins donde las credenciales pueden ser visualizadas por los usuarios con permisos de lectura extendidos o con acceso al sistema de archivos maestro."
    }
  ],
  "id": "CVE-2019-1003087",
  "lastModified": "2024-11-21T04:17:52.987",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-04-04T16:29:01.757",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/107790"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/107790"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-4MVC-33V7-CQC3

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2024-01-30 22:21

Summary

Missing permission check in Jenkins sinatra-chef-builder Plugin

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:sinatra-chef-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-1003087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T22:21:58Z",
    "nvd_published_at": "2019-04-04T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.",
  "id": "GHSA-4mvc-33v7-cqc3",
  "modified": "2024-01-30T22:21:58Z",
  "published": "2022-05-13T01:25:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003087"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107790"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing permission check in Jenkins sinatra-chef-builder Plugin"
}

GSD-2019-1003087

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-1003087

Aliases

CVE-2019-1003087

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-1003087",
    "description": "A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.",
    "id": "GSD-2019-1003087"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-1003087"
      ],
      "details": "A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.",
      "id": "GSD-2019-1003087",
      "modified": "2023-12-13T01:23:44.839667Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "jenkinsci-cert@googlegroups.com",
        "ID": "CVE-2019-1003087",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Jenkins Chef Sinatra Plugin",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "all versions as of 2019-04-03"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Jenkins project"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.securityfocus.com/bid/107790",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/107790"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2019/04/12/2",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
          },
          {
            "name": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037",
            "refsource": "MISC",
            "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:jenkins:chef_sinatra:*:*:*:*:*:jenkins:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2019-1003087"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-862"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1037"
            },
            {
              "name": "107790",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/107790"
            },
            {
              "name": "[oss-security] 20190413 Re: Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/04/12/2"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-10-25T18:16Z",
      "publishedDate": "2019-04-04T16:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-1003087 (GCVE-0-2019-1003087)

CNVD-2019-30403

FKIE_CVE-2019-1003087

GHSA-4MVC-33V7-CQC3

GSD-2019-1003087

Tags

Sightings

Nomenclature