CVE-2019-10352
jenkins: Arbitrary file write vulnerability using file parameter definitions (SECURITY-1424)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.
Una vulnerabilidad de salto de ruta (path) en Jenkins versiones 2.185 y anteriores, LTS versiones 2.176.1 y anteriores, en el archivo core/src/main/java/hudson/model/ FileParameterValue.java permitía a los atacantes con permiso de Trabajo y Configuración definir un parámetro file con un nombre de archivo fuera del directorio previsto, resultando en una escritura de archivo arbitraria en el maestro de Jenkins al programar una compilación.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-03-29 CVE Reserved
- 2019-07-17 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-11-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2019/07/17/2 | Mailing List | |
http://www.securityfocus.com/bid/109299 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://www.tenable.com/security/research/tra-2019-35 | 2024-08-04 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:2503 | 2023-10-25 | |
https://access.redhat.com/errata/RHSA-2019:2548 | 2023-10-25 | |
https://jenkins.io/security/advisory/2019-07-17/#SECURITY-1424 | 2023-10-25 | |
https://access.redhat.com/security/cve/CVE-2019-10352 | 2019-08-28 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1730824 | 2019-08-28 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.176.1 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.176.1" | lts |
Affected
| ||||||
Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.185 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.185" | - |
Affected
|