Описание
Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.
Ссылки
- Mailing ListThird Party Advisory
- Vendor Advisory
- Mailing ListThird Party Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.24 (включая)
cpe:2.3:a:jenkins:configuration_as_code:*:*:*:*:*:jenkins:*:*
EPSS
Процентиль: 31%
0.00119
Низкий
5.4 Medium
CVSS3
5.5 Medium
CVSS2
Дефекты
CWE-116
Связанные уязвимости
CVSS3: 5.4
github
больше 3 лет назад
Improper Encoding or Escaping of Output in Jenkins Configuration as Code Plugin
EPSS
Процентиль: 31%
0.00119
Низкий
5.4 Medium
CVSS3
5.5 Medium
CVSS2
Дефекты
CWE-116