Blue Ocean における認可・権限・アクセス制御に関する脆弱性
| Title |
Blue Ocean における認可・権限・アクセス制御に関する脆弱性
|
| Summary |
Blue Ocean には、認可・権限・アクセス制御に関する脆弱性が存在します。
|
| Possible impacts |
情報を改ざんされる可能性があります。 |
| Solution |
ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date |
Aug. 7, 2017, midnight |
| Registration Date |
Oct. 30, 2017, 4:11 p.m. |
| Last Update |
Oct. 30, 2017, 4:11 p.m. |
|
CVSS3.0 : 警告
|
| Score |
4.3
|
| Vector |
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
CVSS2.0 : 警告
|
| Score |
4
|
| Vector |
AV:N/AC:L/Au:S/C:N/I:P/A:N |
Affected System
| Jenkins プロジェクト |
|
Blue Ocean
|
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
Change Log
| No |
Changed Details |
Date of change |
| 0 |
[2017年10月30日]
掲載 |
Feb. 17, 2018, 10:37 a.m. |
NVD Vulnerability Information
CVE-2017-1000110
| Summary |
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. This allowed users with read access to the GitHub organization folder to reconfigure it, including changing the GitHub API endpoint for the organization folder to an attacker-controlled server to obtain the GitHub access token, if the organization folder was initially created using Blue Ocean.
|
| Publication Date |
Oct. 5, 2017, 10:29 a.m. |
| Registration Date |
Jan. 26, 2021, 1:11 p.m. |
| Last Update |
Nov. 21, 2024, 12:04 p.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta-1:*:*:*:jenkins:*:* |
|
|
|
|
| cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta-2:*:*:*:jenkins:*:* |
|
|
|
|
| cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta-3:*:*:*:jenkins:*:* |
|
|
|
|
| cpe:2.3:a:jenkins:blue_ocean:*:*:*:*:*:jenkins:*:* |
|
1.1.5 |
|
|
Related information, measures and tools
Common Vulnerabilities List