CVE-2019-10362 – io.jenkins:configuration-as-code

Package

Manager: maven
Name: io.jenkins:configuration-as-code
Vulnerable Version: >=0 <1.25

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00119 pctl0.31558

Details

Improper Encoding or Escaping of Output in Jenkins Configuration as Code Plugin Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

Metadata

Created: 2022-05-24T16:51:51Z
Modified: 2022-06-28T22:38:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5r6p-p9r6-r326/GHSA-5r6p-p9r6-r326.json
CWE IDs: ["CWE-116"]
Alternative ID: GHSA-5r6p-p9r6-r326
Finding: F404
Auto approve: 1