CVE-2019-10436 — Path Traversal in Jenkins Google Oauth Credentials

CWE-22 — Path Traversal4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 65.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Google Oauth Credentials Jenkins Project Jenkins Google Oauth Credentials Plugin Jenkins Bumblebee HP ALM Plugin +18 more

Timeline

PublishedOct 16

Latest updateMay 24

Description

An arbitrary file read vulnerability in Jenkins Google OAuth Credentials Plugin 0.9 and earlier allowed attackers able to configure jobs and credentials in Jenkins to obtain the contents of any file on the Jenkins master.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages21 packages

▶jenkinsjenkins/google_oauth_credentials_plugin

▶CVEListV5jenkins_project/jenkins_google_oauth_credentials_plugin0.9 and earlier

▶NVDjenkins/google_oauth_credentials0.9

▶jenkinsjenkins/google_kubernetes_engine_plugin

▶jenkinsjenkins/delphix_plugin

🔴Vulnerability Details

OSV

Improper Limitation of a Pathname to a Restricted Directory in Jenkins Google OAuth Credentials Plugin↗2022-05-24

▶

GHSA

Improper Limitation of a Pathname to a Restricted Directory in Jenkins Google OAuth Credentials Plugin↗2022-05-24

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-10-16↗2019-10-16

▶