{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "Jenkins project", "versions": [{"status": "affected", "version": "2.185 and earlier, LTS 2.176.1 and earlier"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:47:59.324Z"}, "references": [{"name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2"}, {"name": "109373", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/109373"}, {"name": "RHSA-2019:2503", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2503"}, {"name": "RHSA-2019:2548", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2548"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-10354", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_value": "2.185 and earlier, LTS 2.176.1 and earlier"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-425"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2"}, {"name": "109373", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109373"}, {"name": "RHSA-2019:2503", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2503"}, {"name": "RHSA-2019:2548", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2548"}, {"name": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:17:20.331Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20190717 Multiple vulnerabilities in Jenkins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2"}, {"name": "109373", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/109373"}, {"name": "RHSA-2019:2503", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2503"}, {"name": "RHSA-2019:2548", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2548"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-10354", "datePublished": "2019-07-17T15:45:13", "dateReserved": "2019-03-29T00:00:00", "dateUpdated": "2024-08-04T22:17:20.331Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "36061F39-5E8A-4308-B032-CACA3D215495", "versionEndIncluding": "2.176.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "096D9B21-29B1-40BD-AF5E-0802664D9F9A", "versionEndIncluding": "2.185", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information."}, {"lang": "es", "value": "Una vulnerabilidad en el framework web Stapler usado en Jenkins versiones 2.185 y anteriores, LTS versiones 2.176.1 y anteriores, ha permitido a los atacantes acceder directamente a los fragmentos de visualizaci\u00f3n, omitiendo las comprobaciones de permisos y posiblemente obtener informaci\u00f3n confidencial."}], "id": "CVE-2019-10354", "lastModified": "2024-11-21T04:18:57.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-17T16:15:12.553", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/109373"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2503"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2548"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/07/17/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/109373"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2503"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2548"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-07-17/#SECURITY-534"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:2503", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-0:2.176.2.1563460897-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-08-15T00:00:00Z"}, {"advisory": "RHSA-2019:2548", "cpe": "cpe:/a:redhat:openshift:4.1::el7", "package": "jenkins-0:2.176.2.1563461785-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.1", "release_date": "2019-08-28T00:00:00Z"}], "bugzilla": {"description": "jenkins: Unauthorized view fragment access (SECURITY-534)", "id": "1730869", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1730869"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information."], "name": "CVE-2019-10354", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.9"}], "public_date": "2019-07-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10354\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10354\nhttps://jenkins.io/security/advisory/2019-07-17/#SECURITY-534"], "threat_severity": "Moderate", "upstream_fix": "Jenkins LTS 2.176.2, jenkins weekly 2.186"}