製品・ソフトウェアに関する情報

JVN脆弱性詳細

CloudBees Jenkins におけるマスターの暗号鍵を取得される脆弱性

タイトル	CloudBees Jenkins におけるマスターの暗号鍵を取得される脆弱性
概要	CloudBees Jenkins は、スレーブが取り付けられ、匿名読み取りアクセス (anonymous read access) が有効になっている場合、マスターの暗号鍵を取得される脆弱性が存在します。
想定される影響	第三者により、マスターの暗号鍵を取得される可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2013年1月4日0:00
登録日	2013年2月27日16:31
最終更新日	2013年2月27日16:31

CVSS2.0 : 注意
スコア	2.6
ベクター	AV:N/AC:H/Au:N/C:P/I:N/A:N

影響を受けるシステム

CloudBees

Jenkins 1.498 未満

Jenkins Enterprise 1.447.6.1 未満の 1.447.x

Jenkins Enterprise 1.466.12.1 未満の 1.466.x

Jenkins LTS 1.480.2 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-0158	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0158
National Vulnerability Database (NVD)
2	CVE-2013-0158	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0158

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	名前	URL
CloudBees
1	Jenkins Security Advisory 2013-01-04	https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04
2	Jenkins Security Advisory 2013-01-04.cb	http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-01-04.cb
GitHub
3	[SECURITY-49] actively invalidate bad API tokens.	https://github.com/jenkinsci/jenkins/commit/94a8789b699132dd706021a6be1b78bc47f19602
4	[SECURITY-49] added a tool to re-key secrets	https://github.com/jenkinsci/jenkins/commit/4895eaafca468b7f0f1a3166b2fca7414f0d5da5
5	[SECURITY-49] Backing off from @Extension-based discovery.	https://github.com/jenkinsci/jenkins/commit/c3d8e05a1b3d58b6c4dcff97394cb3a79608b4b2
6	[SECURITY-49] Deprecating Jenkins.getSecretKey()	https://github.com/jenkinsci/jenkins/commit/a9aff088f327278a8873aef47fa8f80d3c5932fd
7	[SECURITY-49] mark secret.key generated by post SECURITY-49 Jenkins.	https://github.com/jenkinsci/jenkins/commit/3dc13b957b14cec649036e8dd517f0f9cb21fb04
Red Hat Bugzilla
8	Bug 892795	https://bugzilla.redhat.com/show_bug.cgi?id=892795
Red Hat Security Advisory
9	RHSA-2013:0220	http://rhn.redhat.com/errata/RHSA-2013-0220.html

変更履歴

No	変更内容	変更日
0	[2013年02月27日] 掲載	2018年2月17日10:37

NVD脆弱性情報

CVE-2013-0158

概要	Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.
公表日	2013年2月25日7:55
登録日	2021年1月26日15:32
最終更新日	2024年11月21日10:46

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:cloudbees:jenkins::::::::		1.480.3.1
cpe:2.3:a:jenkins:jenkins:1.404:::::::*
cpe:2.3:a:jenkins:jenkins:1.403:::::::*
cpe:2.3:a:jenkins:jenkins:1.402:::::::*
cpe:2.3:a:jenkins:jenkins:1.401:::::::*
cpe:2.3:a:jenkins:jenkins:1.408:::::::*
cpe:2.3:a:jenkins:jenkins:1.407:::::::*
cpe:2.3:a:jenkins:jenkins:1.406:::::::*
cpe:2.3:a:jenkins:jenkins:1.405:::::::*
cpe:2.3:a:jenkins:jenkins:1.400:::::::*
cpe:2.3:a:jenkins:jenkins:1.437:::::::*
cpe:2.3:a:jenkins:jenkins:1.436:::::::*
cpe:2.3:a:jenkins:jenkins:1.435:::::::*
cpe:2.3:a:jenkins:jenkins:1.434:::::::*
cpe:2.3:a:jenkins:jenkins:1.433:::::::*
cpe:2.3:a:jenkins:jenkins:1.432:::::::*
cpe:2.3:a:jenkins:jenkins:1.431:::::::*
cpe:2.3:a:jenkins:jenkins:1.430:::::::*
cpe:2.3:a:jenkins:jenkins:1.409:::::::*
cpe:2.3:a:jenkins:jenkins:1.415:::::::*
cpe:2.3:a:jenkins:jenkins:1.414:::::::*
cpe:2.3:a:jenkins:jenkins:1.413:::::::*
cpe:2.3:a:jenkins:jenkins:1.412:::::::*
cpe:2.3:a:jenkins:jenkins:1.419:::::::*
cpe:2.3:a:jenkins:jenkins:1.418:::::::*
cpe:2.3:a:jenkins:jenkins:1.417:::::::*
cpe:2.3:a:jenkins:jenkins:1.416:::::::*
cpe:2.3:a:jenkins:jenkins:1.411:::::::*
cpe:2.3:a:jenkins:jenkins:1.410:::::::*
cpe:2.3:a:jenkins:jenkins:1.426:::::::*
cpe:2.3:a:jenkins:jenkins:1.425:::::::*
cpe:2.3:a:jenkins:jenkins:1.424:::::::*
cpe:2.3:a:jenkins:jenkins:1.423:::::::*
cpe:2.3:a:jenkins:jenkins:1.429:::::::*
cpe:2.3:a:jenkins:jenkins:1.428:::::::*
cpe:2.3:a:jenkins:jenkins:1.427:::::::*
cpe:2.3:a:jenkins:jenkins:1.422:::::::*
cpe:2.3:a:jenkins:jenkins:1.421:::::::*
cpe:2.3:a:jenkins:jenkins:1.420:::::::*

構成2	以上	以下	より上	未満
cpe:2.3:a:cloudbees:jenkins:1.466.2.1:-:enterprise:::::*
cpe:2.3:a:cloudbees:jenkins:1.466.1.2:-:enterprise:::::*

構成3	以上	以下	より上	未満
cpe:2.3:a:cloudbees:jenkins:1.424:-:lts:::::*
cpe:2.3:a:cloudbees:jenkins:1.400:-:lts:::::*
cpe:2.3:a:cloudbees:jenkins:1.447:-:lts:::::*
cpe:2.3:a:jenkins:jenkins::::::::		1.466.2
cpe:2.3:a:jenkins:jenkins:1.424.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.4:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.3:::::::*
cpe:2.3:a:jenkins:jenkins:1.466.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.447.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.447.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.3:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.6:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.5:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.1:::::::*

構成4	以上	以下	より上	未満
cpe:2.3:a:cloudbees:jenkins:1.447.1.1:-:enterprise:::::*
cpe:2.3:a:cloudbees:jenkins:1.447.2.2:-:enterprise:::::*
cpe:2.3:a:cloudbees:jenkins:1.447.3.1:-:enterprise:::::*

関連情報、対策とツール

No	URL	タグ
1	http://rhn.redhat.com/errata/RHSA-2013-0220.html
2	http://rhn.redhat.com/errata/RHSA-2013-0220.html
3	http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-01-04.cb	Vendor Advisory
4	http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-01-04.cb	Vendor Advisory
5	http://www.openwall.com/lists/oss-security/2013/01/07/4
6	http://www.openwall.com/lists/oss-security/2013/01/07/4
7	https://bugzilla.redhat.com/show_bug.cgi?id=892795
8	https://bugzilla.redhat.com/show_bug.cgi?id=892795
9	https://github.com/jenkinsci/jenkins/commit/3dc13b957b14cec649036e8dd517f0f9cb21fb04
10	https://github.com/jenkinsci/jenkins/commit/3dc13b957b14cec649036e8dd517f0f9cb21fb04
11	https://github.com/jenkinsci/jenkins/commit/4895eaafca468b7f0f1a3166b2fca7414f0d5da5
12	https://github.com/jenkinsci/jenkins/commit/4895eaafca468b7f0f1a3166b2fca7414f0d5da5
13	https://github.com/jenkinsci/jenkins/commit/94a8789b699132dd706021a6be1b78bc47f19602
14	https://github.com/jenkinsci/jenkins/commit/94a8789b699132dd706021a6be1b78bc47f19602
15	https://github.com/jenkinsci/jenkins/commit/a9aff088f327278a8873aef47fa8f80d3c5932fd
16	https://github.com/jenkinsci/jenkins/commit/a9aff088f327278a8873aef47fa8f80d3c5932fd
17	https://github.com/jenkinsci/jenkins/commit/c3d8e05a1b3d58b6c4dcff97394cb3a79608b4b2
18	https://github.com/jenkinsci/jenkins/commit/c3d8e05a1b3d58b6c4dcff97394cb3a79608b4b2
19	https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04	Vendor Advisory
20	https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04	Vendor Advisory

共通脆弱性一覧

構成1	以上	以下	より上	未満
cpe:2.3:a:cloudbees:jenkins::::::::		1.480.3.1
cpe:2.3:a:jenkins:jenkins:1.404:::::::*
cpe:2.3:a:jenkins:jenkins:1.403:::::::*
cpe:2.3:a:jenkins:jenkins:1.402:::::::*
cpe:2.3:a:jenkins:jenkins:1.401:::::::*
cpe:2.3:a:jenkins:jenkins:1.408:::::::*
cpe:2.3:a:jenkins:jenkins:1.407:::::::*
cpe:2.3:a:jenkins:jenkins:1.406:::::::*
cpe:2.3:a:jenkins:jenkins:1.405:::::::*
cpe:2.3:a:jenkins:jenkins:1.400:::::::*
cpe:2.3:a:jenkins:jenkins:1.437:::::::*
cpe:2.3:a:jenkins:jenkins:1.436:::::::*
cpe:2.3:a:jenkins:jenkins:1.435:::::::*
cpe:2.3:a:jenkins:jenkins:1.434:::::::*
cpe:2.3:a:jenkins:jenkins:1.433:::::::*
cpe:2.3:a:jenkins:jenkins:1.432:::::::*
cpe:2.3:a:jenkins:jenkins:1.431:::::::*
cpe:2.3:a:jenkins:jenkins:1.430:::::::*
cpe:2.3:a:jenkins:jenkins:1.409:::::::*
cpe:2.3:a:jenkins:jenkins:1.415:::::::*
cpe:2.3:a:jenkins:jenkins:1.414:::::::*
cpe:2.3:a:jenkins:jenkins:1.413:::::::*
cpe:2.3:a:jenkins:jenkins:1.412:::::::*
cpe:2.3:a:jenkins:jenkins:1.419:::::::*
cpe:2.3:a:jenkins:jenkins:1.418:::::::*
cpe:2.3:a:jenkins:jenkins:1.417:::::::*
cpe:2.3:a:jenkins:jenkins:1.416:::::::*
cpe:2.3:a:jenkins:jenkins:1.411:::::::*
cpe:2.3:a:jenkins:jenkins:1.410:::::::*
cpe:2.3:a:jenkins:jenkins:1.426:::::::*
cpe:2.3:a:jenkins:jenkins:1.425:::::::*
cpe:2.3:a:jenkins:jenkins:1.424:::::::*
cpe:2.3:a:jenkins:jenkins:1.423:::::::*
cpe:2.3:a:jenkins:jenkins:1.429:::::::*
cpe:2.3:a:jenkins:jenkins:1.428:::::::*
cpe:2.3:a:jenkins:jenkins:1.427:::::::*
cpe:2.3:a:jenkins:jenkins:1.422:::::::*
cpe:2.3:a:jenkins:jenkins:1.421:::::::*
cpe:2.3:a:jenkins:jenkins:1.420:::::::*

構成3	以上	以下	より上	未満
cpe:2.3:a:cloudbees:jenkins:1.424:-:lts:::::*
cpe:2.3:a:cloudbees:jenkins:1.400:-:lts:::::*
cpe:2.3:a:cloudbees:jenkins:1.447:-:lts:::::*
cpe:2.3:a:jenkins:jenkins::::::::		1.466.2
cpe:2.3:a:jenkins:jenkins:1.424.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.4:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.3:::::::*
cpe:2.3:a:jenkins:jenkins:1.466.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.447.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.447.1:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.2:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.3:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.6:::::::*
cpe:2.3:a:jenkins:jenkins:1.424.5:::::::*
cpe:2.3:a:jenkins:jenkins:1.409.1:::::::*