CVE-2019-10330

Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2019/05/31/2	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/108540	Third Party Advisory VDB Entry
https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1046	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gitea:gitea:*:*:*:*:*:jenkins:*:*

History

No history.

Information

Published : 2019-05-31 15:29

Updated : 2024-02-04 20:20

NVD link : CVE-2019-10330

Mitre link : CVE-2019-10330

CVE.ORG link : CVE-2019-10330

JSON object : View

Products Affected

gitea

gitea

CWE

CWE-862

Missing Authorization

{"id": "CVE-2019-10330", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-05-31T15:29:00.590", "references": [{"url": "http://www.openwall.com/lists/oss-security/2019/05/31/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "http://www.securityfocus.com/bid/108540", "tags": ["Third Party Advisory", "VDB Entry"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1046", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted."}, {"lang": "es", "value": "En Plugin Gitea de Jenkins versi\u00f3n 1.1.1 y anteriores, no fueron implementadas revisiones seguras, lo que permite a atacanter sin acceso comprometido al repositorio Git cambiar los archivos de Jenkins, inclusive si Jenkins se configur\u00f3 para considerar que no son de confianza"}], "lastModified": "2023-10-25T18:16:16.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "FAFFE9F0-F731-4624-89BF-DC40B3F1C00A", "versionEndIncluding": "1.1.1"}], "operator": "OR"}]}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}