Startseite ▼ Bookkeeping
Online ▼ Sicherheits
Überprüfungs ▼
Verwaltetes
DNS ▼
Info
Bestellen/Erneuern
FAQ
AUP
Dynamic DNS Clients
Domaine konfigurieren Dyanmic DNS Update Password Netzwerk
Überwachung ▼
Enterprise
Erweiterte
Standard
Gratis Test
FAQ
Preis/Funktionszusammenfassung
Bestellen
Beispiele
Konfigurieren/Status Alarm Profile | |||
Test Kennung: | 1.3.6.1.4.1.25623.1.0.807331 |
Kategorie: | Web application abuses |
Titel: | Jenkins Multiple Vulnerabilities (Feb 2016) - Windows |
Zusammenfassung: | Jenkins is prone to multiple vulnerabilities. |
Beschreibung: | Summary: Jenkins is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods. - The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods. - The Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution. - An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content. - The Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution. Vulnerability Impact: Successful exploitation will allow remote attackers to obtain sensitive information, bypass the protection mechanism, gain elevated privileges, bypass intended access restrictions and execute arbitrary code. Affected Software/OS: Jenkins main line 1.649 and prior, Jenkins LTS 1.642.1 and prior. Solution: Jenkins main line users should update to 1.650, Jenkins LTS users should update to 1.642.2. CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C |
Querverweis: |
Common Vulnerability Exposure (CVE) ID: CVE-2016-0788 RedHat Security Advisories: RHSA-2016:0711 https://access.redhat.com/errata/RHSA-2016:0711 RedHat Security Advisories: RHSA-2016:1773 http://rhn.redhat.com/errata/RHSA-2016-1773.html Common Vulnerability Exposure (CVE) ID: CVE-2016-0789 Common Vulnerability Exposure (CVE) ID: CVE-2016-0790 Common Vulnerability Exposure (CVE) ID: CVE-2016-0791 Common Vulnerability Exposure (CVE) ID: CVE-2016-0792 https://www.exploit-db.com/exploits/42394/ https://www.exploit-db.com/exploits/43375/ https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream |
Copyright | Copyright (C) 2016 Greenbone Networks GmbH |
Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten. |