Описание
Insertion of Sensitive Information into Externally-Accessible File or Directory in Jenkins Credentials Plugin
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-10320
- https://github.com/jenkinsci/credentials-plugin/commit/40d0b5cc53c265b601ffaa4469310fad390a80fb
- https://access.redhat.com/errata/RHBA-2019:1605
- https://access.redhat.com/errata/RHSA-2019:1636
- https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322
- https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320
- http://seclists.org/fulldisclosure/2019/May/39
- http://www.openwall.com/lists/oss-security/2019/05/21/1
- http://www.securityfocus.com/bid/108462
Пакеты
org.jenkins-ci.plugins:credentials
<= 2.1.18
2.1.19
Связанные уязвимости
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.
Уязвимость плагина Jenkins Credentials, связанная с утечкой информации о файлах и каталогах, позволяющая нарушителю создавать или обновлять учетные данные и получить доступ к файлам, содержащим сертификат PKCS#12