CVE-2019-10362 Information

Description

Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Reference

http://www.openwall.com/lists/oss-security/2019/07/31/1 https://jenkins.io/security/advisory/2019-07-31/SECURITY-1446

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4