1735521 – (CVE-2019-10357) CVE-2019-10357 jenkins-plugin-workflow-cps-global-lib: Missing permission check in Pipeline: Shared Groovy Libraries Plugin

Bug 1735521 (CVE-2019-10357) - CVE-2019-10357 jenkins-plugin-workflow-cps-global-lib: Missing permission check in Pipeline: Shared Groovy Libraries Plugin

Summary: CVE-2019-10357 jenkins-plugin-workflow-cps-global-lib: Missing permission che...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-10357
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1735526 1735527 1735528
Blocks:	1735517
TreeView+	depends on / blocked

Reported:	2019-08-01 03:32 UTC by Sam Fowler
Modified:	2021-02-16 21:35 UTC (History)
CC List:	16 users (show)
Fixed In Version:	jenkins-plugin-workflow-cps-global-lib 2.15
Clone Of:
Environment:
Last Closed:	2019-09-04 13:07:32 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2651	0	None	None	None	2019-09-04 07:15:47 UTC
Red Hat Product Errata	RHSA-2019:2662	0	None	None	None	2019-09-11 05:16:30 UTC

Description Sam Fowler 2019-08-01 03:32:58 UTC

The Jenkins Pipeline: Shared Groovy Libraries Plugin provides form validation to determine whether the revision (e.g. commit, tag, or branch name) specified for a global library exists in the repository. This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an attacker-specified revision exists in an SCM repository configured for use in an existing shared library.

Pipeline: Shared Groovy Libraries Plugin now performs the appropriate permission check.


External References:

https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1422

Comment 4 Sam Fowler 2019-08-01 04:00:14 UTC

"Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."

https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary

Comment 5 errata-xmlrpc 2019-09-04 07:15:46 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:2651 https://access.redhat.com/errata/RHSA-2019:2651

Comment 6 Product Security DevOps Team 2019-09-04 13:07:32 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10357

Comment 7 errata-xmlrpc 2019-09-11 05:16:29 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2662 https://access.redhat.com/errata/RHSA-2019:2662

Note You need to log in before you can comment on or make changes to this bug.