 |
Startseite ▼ Bookkeeping
Online ▼ Sicherheits
Überprüfungs ▼
Verwaltetes
DNS ▼
Info
Bestellen/Erneuern
FAQ
AUP
Dynamic DNS Clients
Domaine konfigurieren Dyanmic DNS Update Password Netzwerk
Überwachung ▼
Enterprise
Erweiterte
Standard
Gratis Test
FAQ
Preis/Funktionszusammenfassung
Bestellen
Beispiele
Konfigurieren/Status Alarm Profile | ||
| Test Kennung: | 1.3.6.1.4.1.25623.1.0.806621 |
| Kategorie: | Web application abuses |
| Titel: | Jenkins CLI Multiple Vulnerabilities |
| Zusammenfassung: | Jenkins is prone to multiple vulnerabilities.;; This VT has been replaced by the VTs 'Jenkins Multiple Vulnerabilities - Nov15 (Linux)' (OID: 1.3.6.1.4.1.25623.1.0.808269); and 'Jenkins Multiple Vulnerabilities - Nov15 (Windows)' (OID: 1.3.6.1.4.1.25623.1.0.807001). |
| Beschreibung: | Summary: Jenkins is prone to multiple vulnerabilities. This VT has been replaced by the VTs 'Jenkins Multiple Vulnerabilities - Nov15 (Linux)' (OID: 1.3.6.1.4.1.25623.1.0.808269) and 'Jenkins Multiple Vulnerabilities - Nov15 (Windows)' (OID: 1.3.6.1.4.1.25623.1.0.807001). Vulnerability Insight: Multiple flaws exist as, - Jenkins UI allows users to see the names of jobs and builds otherwise inaccessible to them on the 'Fingerprints' pages. - The salt used to generate the CSRF protection tokens is a publicly accessible value. - When creating a job using the create-job CLI command, external entities are not discarded (nor processed). - JNLP slave connections did not verify that the correct secret was supplied. - The /queue/api URL could return information about items not accessible to the current user. - The CLI command overview and help pages in Jenkins were accessible without Overall/Read permission. - Access to the /jnlpJars/ URL was not limited to the specific JAR files users needed to access, allowing browsing directories and downloading other files in the Jenkins servlet resources. - API tokens of other users were exposed to admins by default. - Slaves connecting via JNLP were not subject to the optional slave-to-master access control. - Users with the permission to take slave nodes offline can enter arbitrary HTML. - An error due to unsafe deserialization. Vulnerability Impact: Successful exploitation will allow remote attackers to gain access to sensitive information, conduct XXE, XSS and CSRF attacks, and execute arbitrary code on the affected system. Affected Software/OS: All Jenkins main line releases up to and including 1.637, all Jenkins LTS releases up to and including 1.625.1. Solution: Jenkins main line users should update to 1.638, Jenkins LTS users should update to 1.625.2. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Querverweis: |
Common Vulnerability Exposure (CVE) ID: CVE-2015-5318 RedHat Security Advisories: RHSA-2016:0070 https://access.redhat.com/errata/RHSA-2016:0070 RedHat Security Advisories: RHSA-2016:0489 http://rhn.redhat.com/errata/RHSA-2016-0489.html Common Vulnerability Exposure (CVE) ID: CVE-2015-5319 Common Vulnerability Exposure (CVE) ID: CVE-2015-5320 Common Vulnerability Exposure (CVE) ID: CVE-2015-5324 Common Vulnerability Exposure (CVE) ID: CVE-2015-5321 Common Vulnerability Exposure (CVE) ID: CVE-2015-5322 Common Vulnerability Exposure (CVE) ID: CVE-2015-5323 Common Vulnerability Exposure (CVE) ID: CVE-2015-5325 Common Vulnerability Exposure (CVE) ID: CVE-2015-5326 |
| Copyright | Copyright (C) 2015 Greenbone Networks GmbH |
| Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten. |