Vulnerabilities > CVE-2019-10354 - Missing Authorization vulnerability in multiple products

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
jenkins
redhat
CWE-862
nessus

Summary

A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.

Vulnerable Configurations

Part Description Count
Application
Jenkins
1017
Application
Redhat
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2503.NASL
    descriptionAn update for jenkins is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es) : * jenkins: CSRF protection tokens did not expire (CVE-2019-10353) * jenkins: Arbitrary file write vulnerability using file parameter definitions (CVE-2019-10352) * jenkins: Unauthorized view fragment access (CVE-2019-10354) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127989
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127989
    titleRHEL 7 : OpenShift Container Platform 3.11 jenkins (RHSA-2019:2503)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:2503. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127989);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2019-10352", "CVE-2019-10353", "CVE-2019-10354");
      script_xref(name:"RHSA", value:"2019:2503");
      script_xref(name:"TRA", value:"TRA-2019-35");
    
      script_name(english:"RHEL 7 : OpenShift Container Platform 3.11 jenkins (RHSA-2019:2503)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for jenkins is now available for Red Hat OpenShift Container
    Platform 3.11.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Jenkins is a continuous integration server that monitors executions of
    repeated jobs, such as building a software project or jobs run by
    cron.
    
    Security Fix(es) :
    
    * jenkins: CSRF protection tokens did not expire (CVE-2019-10353)
    
    * jenkins: Arbitrary file write vulnerability using file parameter
    definitions (CVE-2019-10352)
    
    * jenkins: Unauthorized view fragment access (CVE-2019-10354)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:2503"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10352"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10353"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10354"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.tenable.com/security/research/tra-2019-35"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected jenkins package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jenkins");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:2503";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", reference:"jenkins-2.176.2.1563460897-1.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jenkins");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2548.NASL
    descriptionAn update for jenkins is now available for Red Hat OpenShift Container Platform 4.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es) : * jenkins: CSRF protection tokens did not expire (CVE-2019-10353) * jenkins: Arbitrary file write vulnerability using file parameter definitions (CVE-2019-10352) * jenkins: Unauthorized view fragment access (CVE-2019-10354) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128406
    published2019-08-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128406
    titleRHEL 7 : OpenShift Container Platform 4.1 jenkins (RHSA-2019:2548)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:2548. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128406);
      script_version("1.6");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2019-10352", "CVE-2019-10353", "CVE-2019-10354");
      script_xref(name:"RHSA", value:"2019:2548");
      script_xref(name:"TRA", value:"TRA-2019-35");
    
      script_name(english:"RHEL 7 : OpenShift Container Platform 4.1 jenkins (RHSA-2019:2548)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for jenkins is now available for Red Hat OpenShift Container
    Platform 4.1.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Jenkins is a continuous integration server that monitors executions of
    repeated jobs, such as building a software project or jobs run by
    cron.
    
    Security Fix(es) :
    
    * jenkins: CSRF protection tokens did not expire (CVE-2019-10353)
    
    * jenkins: Arbitrary file write vulnerability using file parameter
    definitions (CVE-2019-10352)
    
    * jenkins: Unauthorized view fragment access (CVE-2019-10354)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:2548"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10352"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10353"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10354"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.tenable.com/security/research/tra-2019-35"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected jenkins package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jenkins");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:2548";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
    
      if (! (rpm_exists(release:"RHEL7", rpm:"atomic-openshift-"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenShift");
    
      if (rpm_check(release:"RHEL7", reference:"jenkins-2.176.2.1563461785-1.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jenkins");
      }
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_DF3DB21D1A4D4C78ACF74639E5A795E0.NASL
    descriptionJenkins Security Advisory : Description(Medium) SECURITY-1424 / CVE-2019-10352 Arbitrary file write vulnerability using file parameter definitions (High) SECURITY-626 / CVE-2019-10353 CSRF protection tokens did not expire (Medium) SECURITY-534 / CVE-2019-10354 Unauthorized view fragment access
    last seen2020-06-01
    modified2020-06-02
    plugin id126806
    published2019-07-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126806
    titleFreeBSD : jenkins -- multiple vulnerabilities (df3db21d-1a4d-4c78-acf7-4639e5a795e0)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2020 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126806);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/08");
    
      script_cve_id("CVE-2019-10352", "CVE-2019-10353", "CVE-2019-10354");
      script_xref(name:"TRA", value:"TRA-2019-35");
    
      script_name(english:"FreeBSD : jenkins -- multiple vulnerabilities (df3db21d-1a4d-4c78-acf7-4639e5a795e0)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Jenkins Security Advisory : Description(Medium) SECURITY-1424 /
    CVE-2019-10352 Arbitrary file write vulnerability using file parameter
    definitions (High) SECURITY-626 / CVE-2019-10353 CSRF protection
    tokens did not expire (Medium) SECURITY-534 / CVE-2019-10354
    Unauthorized view fragment access"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://jenkins.io/security/advisory/2019-07-17/"
      );
      # https://vuxml.freebsd.org/freebsd/df3db21d-1a4d-4c78-acf7-4639e5a795e0.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7263dd3a"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.tenable.com/security/research/tra-2019-35"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:jenkins");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:jenkins-lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"jenkins<2.186")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"jenkins-lts<2.176.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCGI abuses
    NASL idJENKINS_2_186.NASL
    descriptionThe version of Jenkins running on the remote web server is prior to 2.186 or is a version of Jenkins LTS prior to 2.176.2. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file write vulnerability exists due to an incomplete fix for SECURITY-1074, the improper validation of the file parameter definition. An authenticated, remote attacker can exploit this, via a file name with a relative path escaping the base directory, to write arbitrary files on the remote host. (CVE-2019-10352) - A security bypass vulnerability exists due to insufficent validaiton of CSRF tokens. An unauthenticated, remote attacker can exploit this, after obtaining the CSRF token of another user, to bypass CSRF protections and implement a CSRF attack. (CVE-2019-10353) - An information disclosure vulnerability exists in the Stapler web framework due to inadequit permission control of view fragments. An authenticated, remote attacker can exploit this, to disclose potentially sensitive information. (CVE-2019-10354) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127053
    published2019-07-26
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127053
    titleJenkins < 2.176.2 LTS / 2.186 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127053);
      script_version("1.3");
      script_cvs_date("Date: 2020/02/06");
    
      script_cve_id("CVE-2019-10352", "CVE-2019-10353", "CVE-2019-10354");
      script_bugtraq_id(109299, 109373);
      script_xref(name:"TRA", value:"TRA-2019-35");
    
      script_name(english:"Jenkins < 2.176.2 LTS / 2.186 Multiple Vulnerabilities");
      script_summary(english:"Checks the Jenkins version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A job scheduling and management system hosted on the remote web server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Jenkins running on the remote web server is prior to 2.186 or is a version of Jenkins LTS prior to
    2.176.2. It is, therefore, affected by multiple vulnerabilities:
    
      - An arbitrary file write vulnerability exists due to an incomplete fix for SECURITY-1074, the improper
        validation of the file parameter definition. An authenticated, remote attacker can exploit this, via a
        file name with a relative path escaping the base directory, to write arbitrary files on the remote host.
        (CVE-2019-10352)
    
      - A security bypass vulnerability exists due to insufficent validaiton of CSRF tokens. An unauthenticated,
        remote attacker can exploit this, after obtaining the CSRF token of another user, to bypass CSRF
        protections and implement a CSRF attack. (CVE-2019-10353)
    
      - An information disclosure vulnerability exists in the Stapler web framework due to inadequit permission
        control of view fragments. An authenticated, remote attacker can exploit this, to disclose potentially
        sensitive information. (CVE-2019-10354)
    
    Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://jenkins.io/security/advisory/2019-07-17/");
      script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2019-35");
      script_set_attribute(attribute:"solution", value:
    "Upgrade Jenkins to version 2.186 or later, Jenkins LTS to version 2.176.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10353");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/26");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:cloudbees:jenkins");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("jenkins_detect.nasl");
      script_require_keys("www/Jenkins");
      script_require_ports("Services/www", 8080);
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('http.inc');
    include('vcf.inc');
    
    port = get_http_port(default:8080);
    app = vcf::get_app_info(app:'Jenkins', webapp:TRUE, port:port);
    
    if(app['LTS'])
      constraints = [{'fixed_version' : '2.176.2', 'fixed_display' : '2.176.2 LTS / 2.186'}];
    else
      constraints = [{'fixed_version' : '2.186', 'fixed_display' : '2.176.2 LTS / 2.186'}];
    
    vcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_WARNING, strict:FALSE);
    

Redhat

advisories
  • rhsa
    idRHSA-2019:2503
  • rhsa
    idRHSA-2019:2548
rpms
  • jenkins-0:2.176.2.1563460897-1.el7
  • jenkins-0:2.176.2.1563461785-1.el7