製品・ソフトウェアに関する情報

JVN脆弱性詳細

CloudBees Jenkins におけるマスターの暗号鍵を取得される脆弱性

Title	CloudBees Jenkins におけるマスターの暗号鍵を取得される脆弱性
Summary	CloudBees Jenkins は、スレーブが取り付けられ、匿名読み取りアクセス (anonymous read access) が有効になっている場合、マスターの暗号鍵を取得される脆弱性が存在します。
Possible impacts	第三者により、マスターの暗号鍵を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 4, 2013, midnight
Registration Date	Feb. 27, 2013, 4:31 p.m.
Last Update	Feb. 27, 2013, 4:31 p.m.

CVSS2.0 : 注意
Score	2.6
Vector	AV:N/AC:H/Au:N/C:P/I:N/A:N

Affected System

CloudBees

Jenkins 1.498 未満

Jenkins Enterprise 1.447.6.1 未満の 1.447.x

Jenkins Enterprise 1.466.12.1 未満の 1.466.x

Jenkins LTS 1.480.2 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-0158	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0158
National Vulnerability Database (NVD)
2	CVE-2013-0158	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0158

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	Name	URL
CloudBees
1	Jenkins Security Advisory 2013-01-04	https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04
2	Jenkins Security Advisory 2013-01-04.cb	http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-01-04.cb
GitHub
3	[SECURITY-49] actively invalidate bad API tokens.	https://github.com/jenkinsci/jenkins/commit/94a8789b699132dd706021a6be1b78bc47f19602
4	[SECURITY-49] added a tool to re-key secrets	https://github.com/jenkinsci/jenkins/commit/4895eaafca468b7f0f1a3166b2fca7414f0d5da5
5	[SECURITY-49] Backing off from @Extension-based discovery.	https://github.com/jenkinsci/jenkins/commit/c3d8e05a1b3d58b6c4dcff97394cb3a79608b4b2
6	[SECURITY-49] Deprecating Jenkins.getSecretKey()	https://github.com/jenkinsci/jenkins/commit/a9aff088f327278a8873aef47fa8f80d3c5932fd
7	[SECURITY-49] mark secret.key generated by post SECURITY-49 Jenkins.	https://github.com/jenkinsci/jenkins/commit/3dc13b957b14cec649036e8dd517f0f9cb21fb04
Red Hat Bugzilla
8	Bug 892795	https://bugzilla.redhat.com/show_bug.cgi?id=892795
Red Hat Security Advisory
9	RHSA-2013:0220	http://rhn.redhat.com/errata/RHSA-2013-0220.html

Change Log

No	Changed Details	Date of change
0	[2013年02月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-0158

Summary	Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.
Publication Date	Feb. 25, 2013, 7:55 a.m.
Registration Date	Jan. 26, 2021, 3:32 p.m.
Last Update	Nov. 21, 2024, 10:46 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:cloudbees:jenkins::::::::		1.480.3.1
cpe:2.3:a:jenkins:jenkins:1.404:::::::*
cpe:2.3:a:jenkins:jenkins:1.403:::::::*
cpe:2.3:a:jenkins:jenkins:1.402:::::::*
cpe:2.3:a:jenkins:jenkins:1.401:::::::*
cpe:2.3:a:jenkins:jenkins:1.408:::::::*
cpe:2.3:a:jenkins:jenkins:1.407:::::::*
cpe:2.3:a:jenkins:jenkins:1.406:::::::*
cpe:2.3:a:jenkins:jenkins:1.405:::::::*
cpe:2.3:a:jenkins:jenkins:1.400:::::::*
cpe:2.3:a:jenkins:jenkins:1.437:::::::*
cpe:2.3:a:jenkins:jenkins:1.436:::::::*
cpe:2.3:a:jenkins:jenkins:1.435:::::::*
cpe:2.3:a:jenkins:jenkins:1.434:::::::*
cpe:2.3:a:jenkins:jenkins:1.433:::::::*
cpe:2.3:a:jenkins:jenkins:1.432:::::::*
cpe:2.3:a:jenkins:jenkins:1.431:::::::*
cpe:2.3:a:jenkins:jenkins:1.430:::::::*
cpe:2.3:a:jenkins:jenkins:1.409:::::::*
cpe:2.3:a:jenkins:jenkins:1.415:::::::*
cpe:2.3:a:jenkins:jenkins:1.414:::::::*
cpe:2.3:a:jenkins:jenkins:1.413:::::::*
cpe:2.3:a:jenkins:jenkins:1.412:::::::*
cpe:2.3:a:jenkins:jenkins:1.419:::::::*
cpe:2.3:a:jenkins:jenkins:1.418:::::::*
cpe:2.3:a:jenkins:jenkins:1.417:::::::*
cpe:2.3:a:jenkins:jenkins:1.416:::::::*
cpe:2.3:a:jenkins:jenkins:1.411:::::::*
cpe:2.3:a:jenkins:jenkins:1.410:::::::*
cpe:2.3:a:jenkins:jenkins:1.426:::::::*
cpe:2.3:a:jenkins:jenkins:1.425:::::::*
cpe:2.3:a:jenkins:jenkins:1.424:::::::*
cpe:2.3:a:jenkins:jenkins:1.423:::::::*
cpe:2.3:a:jenkins:jenkins:1.429:::::::*
cpe:2.3:a:jenkins:jenkins:1.428:::::::*
cpe:2.3:a:jenkins:jenkins:1.427:::::::*
cpe:2.3:a:jenkins:jenkins:1.422:::::::*
cpe:2.3:a:jenkins:jenkins:1.421:::::::*
cpe:2.3:a:jenkins:jenkins:1.420:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:cloudbees:jenkins:1.466.2.1:-:enterprise:::::*
cpe:2.3:a:cloudbees:jenkins:1.466.1.2:-:enterprise:::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:cloudbees:jenkins:1.424:-:lts:::::*
cpe:2.3:a:cloudbees:jenkins:1.400:-:lts:::::*
cpe:2.3:a:cloudbees:jenkins:1.447:-:lts:::::*
cpe:2.3:a:jenkins:jenkins::::::::		1.466.2
cpe:2.3:a:jenkins:jenkins:1.424.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.4:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.3:::::::*
cpe:2.3:a:jenkins:jenkins:1.466.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.447.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.447.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.3:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.6:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.5:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.1:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:cloudbees:jenkins:1.447.1.1:-:enterprise:::::*
cpe:2.3:a:cloudbees:jenkins:1.447.2.2:-:enterprise:::::*
cpe:2.3:a:cloudbees:jenkins:1.447.3.1:-:enterprise:::::*

Related information, measures and tools

No	URL	タグ
1	http://rhn.redhat.com/errata/RHSA-2013-0220.html
2	http://rhn.redhat.com/errata/RHSA-2013-0220.html
3	http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-01-04.cb	Vendor Advisory
4	http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-01-04.cb	Vendor Advisory
5	http://www.openwall.com/lists/oss-security/2013/01/07/4
6	http://www.openwall.com/lists/oss-security/2013/01/07/4
7	https://bugzilla.redhat.com/show_bug.cgi?id=892795
8	https://bugzilla.redhat.com/show_bug.cgi?id=892795
9	https://github.com/jenkinsci/jenkins/commit/3dc13b957b14cec649036e8dd517f0f9cb21fb04
10	https://github.com/jenkinsci/jenkins/commit/3dc13b957b14cec649036e8dd517f0f9cb21fb04
11	https://github.com/jenkinsci/jenkins/commit/4895eaafca468b7f0f1a3166b2fca7414f0d5da5
12	https://github.com/jenkinsci/jenkins/commit/4895eaafca468b7f0f1a3166b2fca7414f0d5da5
13	https://github.com/jenkinsci/jenkins/commit/94a8789b699132dd706021a6be1b78bc47f19602
14	https://github.com/jenkinsci/jenkins/commit/94a8789b699132dd706021a6be1b78bc47f19602
15	https://github.com/jenkinsci/jenkins/commit/a9aff088f327278a8873aef47fa8f80d3c5932fd
16	https://github.com/jenkinsci/jenkins/commit/a9aff088f327278a8873aef47fa8f80d3c5932fd
17	https://github.com/jenkinsci/jenkins/commit/c3d8e05a1b3d58b6c4dcff97394cb3a79608b4b2
18	https://github.com/jenkinsci/jenkins/commit/c3d8e05a1b3d58b6c4dcff97394cb3a79608b4b2
19	https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04	Vendor Advisory
20	https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04	Vendor Advisory

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:cloudbees:jenkins::::::::		1.480.3.1
cpe:2.3:a:jenkins:jenkins:1.404:::::::*
cpe:2.3:a:jenkins:jenkins:1.403:::::::*
cpe:2.3:a:jenkins:jenkins:1.402:::::::*
cpe:2.3:a:jenkins:jenkins:1.401:::::::*
cpe:2.3:a:jenkins:jenkins:1.408:::::::*
cpe:2.3:a:jenkins:jenkins:1.407:::::::*
cpe:2.3:a:jenkins:jenkins:1.406:::::::*
cpe:2.3:a:jenkins:jenkins:1.405:::::::*
cpe:2.3:a:jenkins:jenkins:1.400:::::::*
cpe:2.3:a:jenkins:jenkins:1.437:::::::*
cpe:2.3:a:jenkins:jenkins:1.436:::::::*
cpe:2.3:a:jenkins:jenkins:1.435:::::::*
cpe:2.3:a:jenkins:jenkins:1.434:::::::*
cpe:2.3:a:jenkins:jenkins:1.433:::::::*
cpe:2.3:a:jenkins:jenkins:1.432:::::::*
cpe:2.3:a:jenkins:jenkins:1.431:::::::*
cpe:2.3:a:jenkins:jenkins:1.430:::::::*
cpe:2.3:a:jenkins:jenkins:1.409:::::::*
cpe:2.3:a:jenkins:jenkins:1.415:::::::*
cpe:2.3:a:jenkins:jenkins:1.414:::::::*
cpe:2.3:a:jenkins:jenkins:1.413:::::::*
cpe:2.3:a:jenkins:jenkins:1.412:::::::*
cpe:2.3:a:jenkins:jenkins:1.419:::::::*
cpe:2.3:a:jenkins:jenkins:1.418:::::::*
cpe:2.3:a:jenkins:jenkins:1.417:::::::*
cpe:2.3:a:jenkins:jenkins:1.416:::::::*
cpe:2.3:a:jenkins:jenkins:1.411:::::::*
cpe:2.3:a:jenkins:jenkins:1.410:::::::*
cpe:2.3:a:jenkins:jenkins:1.426:::::::*
cpe:2.3:a:jenkins:jenkins:1.425:::::::*
cpe:2.3:a:jenkins:jenkins:1.424:::::::*
cpe:2.3:a:jenkins:jenkins:1.423:::::::*
cpe:2.3:a:jenkins:jenkins:1.429:::::::*
cpe:2.3:a:jenkins:jenkins:1.428:::::::*
cpe:2.3:a:jenkins:jenkins:1.427:::::::*
cpe:2.3:a:jenkins:jenkins:1.422:::::::*
cpe:2.3:a:jenkins:jenkins:1.421:::::::*
cpe:2.3:a:jenkins:jenkins:1.420:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:cloudbees:jenkins:1.424:-:lts:::::*
cpe:2.3:a:cloudbees:jenkins:1.400:-:lts:::::*
cpe:2.3:a:cloudbees:jenkins:1.447:-:lts:::::*
cpe:2.3:a:jenkins:jenkins::::::::		1.466.2
cpe:2.3:a:jenkins:jenkins:1.424.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.4:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.3:::::::*
cpe:2.3:a:jenkins:jenkins:1.466.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.447.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.447.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.3:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.6:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.5:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.1:::::::*