CVE-2019-10320 Information

Description

Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path and obtain the certificate content of files containing a PKCS12 certificate.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Reference

http://seclists.org/fulldisclosure/2019/May/39 http://www.openwall.com/lists/oss-security/2019/05/21/1 http://www.securityfocus.com/bid/108462 https://access.redhat.com/errata/RHBA-2019:1605 https://access.redhat.com/errata/RHSA-2019:1636 https://jenkins.io/security/advisory/2019-05-21/SECURITY-1322 https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

4.3