Inicial ▼ Bookkeeping
Online ▼ Auditorias ▼
DNS
Administrado ▼
Acerca de DNS
Ordenar/Renovar
Preguntas Frecuentes
AUP
Dynamic DNS Clients
Configurar Dominios Dynamic DNS Update Password Monitoreo
de Redes ▼
Enterprise
Avanzado
Estándarr
Prueba
Preguntas Frecuentes
Resumen de Precio/Funciones
Ordenar
Muestras
Configure/Status Alert Profiles | |||
ID de Prueba: | 1.3.6.1.4.1.25623.1.0.806621 |
Categoría: | Web application abuses |
Título: | Jenkins CLI Multiple Vulnerabilities |
Resumen: | Jenkins is prone to multiple vulnerabilities.;; This VT has been replaced by the VTs 'Jenkins Multiple Vulnerabilities - Nov15 (Linux)' (OID: 1.3.6.1.4.1.25623.1.0.808269); and 'Jenkins Multiple Vulnerabilities - Nov15 (Windows)' (OID: 1.3.6.1.4.1.25623.1.0.807001). |
Descripción: | Summary: Jenkins is prone to multiple vulnerabilities. This VT has been replaced by the VTs 'Jenkins Multiple Vulnerabilities - Nov15 (Linux)' (OID: 1.3.6.1.4.1.25623.1.0.808269) and 'Jenkins Multiple Vulnerabilities - Nov15 (Windows)' (OID: 1.3.6.1.4.1.25623.1.0.807001). Vulnerability Insight: Multiple flaws exist as, - Jenkins UI allows users to see the names of jobs and builds otherwise inaccessible to them on the 'Fingerprints' pages. - The salt used to generate the CSRF protection tokens is a publicly accessible value. - When creating a job using the create-job CLI command, external entities are not discarded (nor processed). - JNLP slave connections did not verify that the correct secret was supplied. - The /queue/api URL could return information about items not accessible to the current user. - The CLI command overview and help pages in Jenkins were accessible without Overall/Read permission. - Access to the /jnlpJars/ URL was not limited to the specific JAR files users needed to access, allowing browsing directories and downloading other files in the Jenkins servlet resources. - API tokens of other users were exposed to admins by default. - Slaves connecting via JNLP were not subject to the optional slave-to-master access control. - Users with the permission to take slave nodes offline can enter arbitrary HTML. - An error due to unsafe deserialization. Vulnerability Impact: Successful exploitation will allow remote attackers to gain access to sensitive information, conduct XXE, XSS and CSRF attacks, and execute arbitrary code on the affected system. Affected Software/OS: All Jenkins main line releases up to and including 1.637, all Jenkins LTS releases up to and including 1.625.1. Solution: Jenkins main line users should update to 1.638, Jenkins LTS users should update to 1.625.2. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
Referencia Cruzada: |
Common Vulnerability Exposure (CVE) ID: CVE-2015-5318 RedHat Security Advisories: RHSA-2016:0070 https://access.redhat.com/errata/RHSA-2016:0070 RedHat Security Advisories: RHSA-2016:0489 http://rhn.redhat.com/errata/RHSA-2016-0489.html Common Vulnerability Exposure (CVE) ID: CVE-2015-5319 Common Vulnerability Exposure (CVE) ID: CVE-2015-5320 Common Vulnerability Exposure (CVE) ID: CVE-2015-5324 Common Vulnerability Exposure (CVE) ID: CVE-2015-5321 Common Vulnerability Exposure (CVE) ID: CVE-2015-5322 Common Vulnerability Exposure (CVE) ID: CVE-2015-5323 Common Vulnerability Exposure (CVE) ID: CVE-2015-5325 Common Vulnerability Exposure (CVE) ID: CVE-2015-5326 |
Copyright | Copyright (C) 2015 Greenbone Networks GmbH |
Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora. |