CVE-2019-10375

An arbitrary file read vulnerability in Jenkins File System SCM Plugin 2.1 and earlier allows attackers able to configure jobs in Jenkins to obtain the contents of any file on the Jenkins master.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2019/08/07/1	Mailing List Third Party Advisory
https://jenkins.io/security/advisory/2019-08-07/#SECURITY-569	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:file_system_scm:*:*:*:*:*:jenkins:*:*

History

No history.

Information

Published : 2019-08-07 15:15

Updated : 2023-10-25 18:16

NVD link : CVE-2019-10375

Mitre link : CVE-2019-10375

CVE.ORG link : CVE-2019-10375

JSON object : View

Products Affected

jenkins

file_system_scm

CWE

NVD-CWE-Other

{"id": "CVE-2019-10375", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-08-07T15:15:12.640", "references": [{"url": "http://www.openwall.com/lists/oss-security/2019/08/07/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-569", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An arbitrary file read vulnerability in Jenkins File System SCM Plugin 2.1 and earlier allows attackers able to configure jobs in Jenkins to obtain the contents of any file on the Jenkins master."}, {"lang": "es", "value": "Una vulnerabilidad de lectura de archivos arbitraria en el Plugin File System SCM de Jenkins versi\u00f3n 2.1 y anteriores, permite a atacantes configurar trabajos en Jenkins para obtener el contenido de cualquier archivo en el maestro de Jenkins."}], "lastModified": "2023-10-25T18:16:19.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:file_system_scm:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "1EABC07B-7FFF-42E2-94C2-C40DEA8587F4", "versionEndIncluding": "2.1"}], "operator": "OR"}]}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}