CVE-2019-10357
First published: Wed Jul 31 2019(Updated: )
A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jenkins-ci.plugins.workflow:workflow-cps-global-lib | <=2.14 | 2.15 |
| redhat/jenkins-plugin-workflow-cps-global-lib | <2.15 | 2.15 |
| Jenkins Pipeline | <=2.14 | |
| Red Hat OpenShift Container Platform | =3.11 | |
| Red Hat OpenShift Container Platform | =4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-10357
- https://access.redhat.com/errata/RHSA-2019:2594
- https://access.redhat.com/errata/RHSA-2019:2651
- https://access.redhat.com/errata/RHSA-2019:2662
- https://jenkins.io/security/advisory/2019-07-31/#SECURITY1422
- http://www.openwall.com/lists/oss-security/2019/07/31/1
- https://github.com/jenkinsci/workflow-cps-global-lib-plugin/commit/6fce1e241d82641e8648c546bc63c22a5e07e96b
- https://github.com/advisories/GHSA-9x5v-8352-244g (Advisory)
Frequently Asked Questions
What is the severity of CVE-2019-10357?
CVE-2019-10357 has a medium severity rating due to a missing permission check that could allow unauthorized access to SCM repository information.
How do I fix CVE-2019-10357?
To fix CVE-2019-10357, upgrade the Jenkins Pipeline: Shared Groovy Libraries Plugin to version 2.15 or later.
What systems are affected by CVE-2019-10357?
CVE-2019-10357 affects Jenkins Pipeline: Shared Groovy Libraries Plugin version 2.14 and earlier, as well as certain versions of Red Hat OpenShift Container Platform.
What type of vulnerability is CVE-2019-10357?
CVE-2019-10357 is a permissions-related vulnerability that allows users to access limited information in SCM repositories.
Can I mitigate CVE-2019-10357 without upgrading?
Mitigation options are limited; the recommended action is to upgrade the affected plugin to avoid risk.
- collector/github-advisory-latest
- alias/GHSA-9x5v-8352-244g
- alias/CVE-2019-10357
- collector/github-advisory
- agent/weakness
- agent/type
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-api
- package-manager/maven
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins pipeline
- version/jenkins pipeline/2.14
- vendor/redhat
- canonical/red hat openshift container platform
- version/red hat openshift container platform/3.11
- version/red hat openshift container platform/4.1