CVE-2019-10362

CWE-1165 documents5 sources

Severity

5.4MEDIUM

EPSS

0.1%

top 69.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Configuration AS Code Jenkins Project Jenkins Configuration AS Code Plugin

Timeline

PublishedJul 31

Latest updateMay 24

Description

Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_configuration_as_code_plugin1.24 and earlier

▶Mavenio.jenkins:configuration-as-code< 1.25

▶NVDjenkins/configuration_as_code1.24

🔴Vulnerability Details

GHSA

Improper Encoding or Escaping of Output in Jenkins Configuration as Code Plugin↗2022-05-24

▶

OSV

Improper Encoding or Escaping of Output in Jenkins Configuration as Code Plugin↗2022-05-24

▶

CVEList

CVE-2019-10362: Jenkins Configuration as Code Plugin 1↗2019-07-31

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-07-31↗2019-07-31

▶