GHSA-5r6p-p9r6-r326

Source

https://github.com/advisories/GHSA-5r6p-p9r6-r326

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5r6p-p9r6-r326/GHSA-5r6p-p9r6-r326.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5r6p-p9r6-r326

Aliases

CVE-2019-10362

Published

2022-05-24T16:51:51Z

Modified

2024-02-16T08:24:44.317760Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Improper Encoding or Escaping of Output in Jenkins Configuration as Code Plugin

Details

Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

Database specific

{
    "nvd_published_at": "2019-07-31T13:15:00Z",
    "cwe_ids": [
        "CWE-116"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T22:38:20Z"
}

References

Affected packages

Maven / io.jenkins:configuration-as-code

Package

Name: io.jenkins:configuration-as-code; View open source insights on deps.dev
Purl: pkg:maven/io.jenkins/configuration-as-code

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25

Affected versions

0.*

0.6-alpha

0.7-alpha

0.8-alpha

0.9-alpha

0.10-alpha

0.11-alpha

1.*

1.0-rc1

1.0-rc2

1.0-rc3

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18

1.19

1.20

1.21

1.22

1.23

1.24

Database specific

{
    "last_known_affected_version_range": "<= 1.24"
}