Bug 1735521 (CVE-2019-10357) - CVE-2019-10357 jenkins-plugin-workflow-cps-global-lib: Missing permission check in Pipeline: Shared Groovy Libraries Plugin
Summary: CVE-2019-10357 jenkins-plugin-workflow-cps-global-lib: Missing permission che...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10357
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1735528 1735526 1735527
Blocks: 1735517
TreeView+ depends on / blocked
 
Reported: 2019-08-01 03:32 UTC by Sam Fowler
Modified: 2019-09-29 15:18 UTC (History)
10 users (show)

Fixed In Version: jenkins-plugin-workflow-cps-global-lib 2.15
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-04 13:07:32 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2651 None None None 2019-09-04 07:15:47 UTC
Red Hat Product Errata RHSA-2019:2662 None None None 2019-09-11 05:16:30 UTC

Description Sam Fowler 2019-08-01 03:32:58 UTC
The Jenkins Pipeline: Shared Groovy Libraries Plugin provides form validation to determine whether the revision (e.g. commit, tag, or branch name) specified for a global library exists in the repository. This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an attacker-specified revision exists in an SCM repository configured for use in an existing shared library.

Pipeline: Shared Groovy Libraries Plugin now performs the appropriate permission check.


External References:

https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1422

Comment 4 Sam Fowler 2019-08-01 04:00:14 UTC
"Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."

https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary

Comment 5 errata-xmlrpc 2019-09-04 07:15:46 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:2651 https://access.redhat.com/errata/RHSA-2019:2651

Comment 6 Product Security DevOps Team 2019-09-04 13:07:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10357

Comment 7 errata-xmlrpc 2019-09-11 05:16:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2662 https://access.redhat.com/errata/RHSA-2019:2662


Note You need to log in before you can comment on or make changes to this bug.