{"containers": {"cna": {"affected": [{"product": "Jenkins Pipeline Remote Loader Plugin", "vendor": "Jenkins project", "versions": [{"status": "affected", "version": "1.4 and earlier"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:47:28.713Z"}, "references": [{"name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"}, {"name": "108540", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108540"}, {"name": "RHBA-2019:1605", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHBA-2019:1605"}, {"name": "RHSA-2019:1636", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1636"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-921"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-10328", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Pipeline Remote Loader Plugin", "version": {"version_data": [{"version_value": "1.4 and earlier"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-183"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"}, {"name": "108540", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108540"}, {"name": "RHBA-2019:1605", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHBA-2019:1605"}, {"name": "RHSA-2019:1636", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1636"}, {"name": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-921", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-921"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:17:20.492Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"}, {"name": "108540", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/108540"}, {"name": "RHBA-2019:1605", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHBA-2019:1605"}, {"name": "RHSA-2019:1636", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1636"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-921"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-10328", "datePublished": "2019-05-31T14:20:19", "dateReserved": "2019-03-29T00:00:00", "dateUpdated": "2024-08-04T22:17:20.492Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:pipeline_remote_loader:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "13AE1ED1-72B5-4796-A7B3-46300D94AB41", "versionEndIncluding": "1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection."}, {"lang": "es", "value": "En el Plugin Pipeline Remote Loader de Jenkins versi\u00f3n 1.4 y anteriores, se proporcion\u00f3 una whitelist personalizada para la seguridad del script que permit\u00eda a los atacantes recurrir a m\u00e9todos arbitrarios, omitiendo la protecci\u00f3n t\u00edpica de la sandbox."}], "id": "CVE-2019-10328", "lastModified": "2023-10-25T18:16:16.100", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-31T15:29:00.513", "references": [{"source": "jenkinsci-cert@googlegroups.com", "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "http://www.securityfocus.com/bid/108540"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "https://access.redhat.com/errata/RHBA-2019:1605"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "https://access.redhat.com/errata/RHSA-2019:1636"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-921"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-enterprise-service-catalog-1:3.11.117-1.git.1.376e432.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-cluster-autoscaler-0:3.11.117-1.git.1.caa79fa.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-descheduler-0:3.11.117-1.git.1.1635b0a.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-dockerregistry-0:3.11.117-1.git.1.6a42b08.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-metrics-server-0:3.11.117-1.git.1.319d58e.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-node-problem-detector-0:3.11.117-1.git.1.0345fe3.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-service-idler-0:3.11.117-1.git.1.887bb82.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-web-console-0:3.11.117-1.git.1.be7a05c.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "cri-o-0:1.11.14-1.rhaos3.11.gitd56660e.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "golang-github-openshift-oauth-proxy-0:3.11.117-1.git.1.2b006d2.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "golang-github-prometheus-alertmanager-0:3.11.117-1.git.1.207ef35.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "golang-github-prometheus-node_exporter-0:3.11.117-1.git.1.dcee33f.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "golang-github-prometheus-prometheus-0:3.11.117-1.git.1.f52d417.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-0:2.164.2.1555422716-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-2-plugins-0:3.11.1559667994-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift-ansible-0:3.11.123-1.git.0.db681ba.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift-enterprise-autoheal-0:3.11.117-1.git.1.ef32a58.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHBA-2019:1605", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift-enterprise-cluster-capacity-0:3.11.117-1.git.1.6593fce.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-06-26T00:00:00Z"}, {"advisory": "RHSA-2019:1636", "cpe": "cpe:/a:redhat:openshift:4.1::el7", "package": "jenkins-2-plugins-0:4.1.1561471763-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.1", "release_date": "2019-07-03T00:00:00Z"}, {"advisory": "RHBA-2019:2921", "cpe": "cpe:/a:redhat:openshift:4.2::el7", "package": "jenkins-2-plugins-0:4.2.1568997376-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.2", "release_date": "2019-10-16T00:00:00Z"}], "bugzilla": {"description": "jenkins-plugin-workflow-remote-loader: Unsafe Script Security whitelist entry in Pipeline Remote Loader Plugin (SECURITY-921)", "id": "1716794", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1716794"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-184", "details": ["Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.", "A flaw was found in the Jenkins Workflow Remote Loader plugin. An unsafe whitelist entry was made that allowed invoking arbitrary methods and bypassing sandbox protection. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2019-10328", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Will not fix", "package_name": "jenkins-plugin-workflow-remote-loader", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Will not fix", "package_name": "jenkins-plugin-workflow-remote-loader", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Will not fix", "package_name": "jenkins-plugin-workflow-remote-loader", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Will not fix", "package_name": "jenkins-plugin-workflow-remote-loader", "product_name": "Red Hat OpenShift Container Platform 3.9"}], "public_date": "2019-05-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10328\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10328\nhttps://jenkins.io/security/advisory/2019-05-31/#SECURITY-921"], "threat_severity": "Important", "upstream_fix": "jenkins-plugin-workflow-remote-loader 1.5"}