From 7a196840ff82b1b796bde9c215ac4a6e1db2307f Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Fri, 15 Nov 2024 15:41:56 +0000 Subject: [PATCH] adjust version ranges for CVE-2019-1003098 to prevent some false positives to unrelated jenkins plugin Signed-off-by: Weston Steimel --- data/anchore/2019/CVE-2019-1003098.json | 36 +++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 data/anchore/2019/CVE-2019-1003098.json diff --git a/data/anchore/2019/CVE-2019-1003098.json b/data/anchore/2019/CVE-2019-1003098.json new file mode 100644 index 00000000..ada600ec --- /dev/null +++ b/data/anchore/2019/CVE-2019-1003098.json @@ -0,0 +1,36 @@ +{ + "additionalMetadata": { + "cna": "jenkins", + "cveId": "CVE-2019-1003098", + "description": "A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.", + "reason": "Add a version range showing that this is not fixed but that won't flag new versions of the unrelated oic-auth plugin as vulnerable (due to an issue with the NVD CPE dict data)", + "references": [ + "http://www.openwall.com/lists/oss-security/2019/04/12/2", + "http://www.securityfocus.com/bid/107790", + "https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1084" + ] + }, + "adp": { + "affected": [ + { + "cpes": [ + "cpe:2.3:a:jenkins:openid:*:*:*:*:*:jenkins:*:*" + ], + "product": "Jenkins openid Plugin", + "vendor": "Jenkins project", + "versions": [ + { + "lessThanOrEqual": "2.4", + "status": "affected", + "version": "0", + "versionType": "custom" + } + ] + } + ], + "providerMetadata": { + "orgId": "00000000-0000-4000-8000-000000000000", + "shortName": "anchoreadp" + } + } +} \ No newline at end of file