CVE-2019-16558 - Vulnerability Details

Vendors	Products
Jenkins	Spira Importer

Link	Providers
http://www.openwall.com/lists/oss-security/2019/12/17/1
https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Jenkins Spira Importer Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "3.2.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:50:49.245Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580"}, {"name": "[oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-16558", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Spira Importer Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "3.2.3"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295: Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580"}, {"name": "[oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:17:41.027Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580"}, {"name": "[oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-16558", "datePublished": "2019-12-17T14:40:49", "dateReserved": "2019-09-20T00:00:00", "dateUpdated": "2024-08-05T01:17:41.027Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Jenkins Spira Importer Plugin (string)

vendor : Jenkins project (string)

versions : [ »

0 : { »

lessThanOrEqual : 3.2.3 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM. (string)

}

]

providerMetadata : { »

orgId : 39769cd5-e6e2-4dc8-927e-97b3aa056f5b (string)

shortName : jenkins (string)

dateUpdated : 2023-10-24T16:50:49.245Z (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580 (string)

}

1 : { »

name : [oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : http://www.openwall.com/lists/oss-security/2019/12/17/1 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : jenkinsci-cert@googlegroups.com (string)

ID : CVE-2019-16558 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Jenkins Spira Importer Plugin (string)

version : { »

version_data : [ »

0 : { »

version_affected : <= (string)

version_value : 3.2.3 (string)

}

]

}

]

}

vendor_name : Jenkins project (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-295: Improper Certificate Validation (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580 (string)

refsource : CONFIRM (string)

url : https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580 (string)

}

1 : { »

name : [oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins (string)

refsource : MLIST (string)

url : http://www.openwall.com/lists/oss-security/2019/12/17/1 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T01:17:41.027Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580 (string)

}

1 : { »

name : [oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : http://www.openwall.com/lists/oss-security/2019/12/17/1 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 39769cd5-e6e2-4dc8-927e-97b3aa056f5b (string)

assignerShortName : jenkins (string)

cveId : CVE-2019-16558 (string)

datePublished : 2019-12-17T14:40:49 (string)

dateReserved : 2019-09-20T00:00:00 (string)

dateUpdated : 2024-08-05T01:17:41.027Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:spira_importer:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "982F7389-10EA-4770-A31C-26B98FC40776", "versionEndIncluding": "3.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM."}, {"lang": "es", "value": "Jenkins Spira Importer Plugin 3.2.3 y versiones anteriores deshabilita la validaci\u00f3n de certificados SSL/TLS para la JVM maestra de Jenkins."}], "id": "CVE-2019-16558", "lastModified": "2024-11-21T04:30:49.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-17T15:15:17.800", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:jenkins:spira_importer:*:*:*:*:*:jenkins:*:* (string)

matchCriteriaId : 982F7389-10EA-4770-A31C-26B98FC40776 (string)

versionEndIncluding : 3.2.3 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Jenkins Spira Importer Plugin 3.2.3 and earlier disables SSL/TLS certificate validation for the Jenkins master JVM. (string)

}

1 : { »

lang : es (string)

value : Jenkins Spira Importer Plugin 3.2.3 y versiones anteriores deshabilita la validación de certificados SSL/TLS para la JVM maestra de Jenkins. (string)

}

]

id : CVE-2019-16558 (string)

lastModified : 2024-11-21T04:30:49.347 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 6.4 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:N/C:P/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 4.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 8.2 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 4.2 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2019-12-17T15:15:17.800 (string)

references : [ »

0 : { »

source : jenkinsci-cert@googlegroups.com (string)

tags : [ »

0 : Mailing List (string)

1 : Third Party Advisory (string)

]

url : http://www.openwall.com/lists/oss-security/2019/12/17/1 (string)

}

1 : { »

source : jenkinsci-cert@googlegroups.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580 (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Third Party Advisory (string)

]

url : http://www.openwall.com/lists/oss-security/2019/12/17/1 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1580 (string)

}

]

sourceIdentifier : jenkinsci-cert@googlegroups.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-295 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object