FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-14 07:55:01 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
23af0425-9eac-11e5-b937-00e0814cab4e	jenkins -- multiple vulnerabilities Jenkins Security Advisory: Description SECURITY-95 / CVE-2015-7536 (Stored XSS vulnerability through workspace files and archived artifacts) In certain configurations, low privilege users were able to create e.g. HTML files in workspaces and archived artifacts that could result in XSS when accessed by other users. Jenkins now sends Content-Security-Policy headers that enables sandboxing and prohibits script execution by default. SECURITY-225 / CVE-2015-7537 (CSRF vulnerability in some administrative actions) Several administration/configuration related URLs could be accessed using GET, which allowed attackers to circumvent CSRF protection. SECURITY-233 / CVE-2015-7538 (CSRF protection ineffective) Malicious users were able to circumvent CSRF protection on any URL by sending specially crafted POST requests. SECURITY-234 / CVE-2015-7539 (Jenkins plugin manager vulnerable to MITM attacks) While the Jenkins update site data is digitally signed, and the signature verified by Jenkins, Jenkins did not verify the provided SHA-1 checksums for the plugin files referenced in the update site data. This enabled MITM attacks on the plugin manager, resulting in installation of attacker-provided plugins. Discovery 2015-12-09 Entry 2015-12-09 jenkins le 1.641 jenkins-lts le 1.625.3 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09

VuXML ID

Description

23af0425-9eac-11e5-b937-00e0814cab4e

jenkins -- multiple vulnerabilities

Jenkins Security Advisory:

Description

SECURITY-95 / CVE-2015-7536 (Stored XSS vulnerability through workspace files and archived artifacts)

In certain configurations, low privilege users were able to create e.g. HTML files in workspaces and archived artifacts that could result in XSS when accessed by other users. Jenkins now sends Content-Security-Policy headers that enables sandboxing and prohibits script execution by default.

SECURITY-225 / CVE-2015-7537 (CSRF vulnerability in some administrative actions)

Several administration/configuration related URLs could be accessed using GET, which allowed attackers to circumvent CSRF protection.

SECURITY-233 / CVE-2015-7538 (CSRF protection ineffective)

Malicious users were able to circumvent CSRF protection on any URL by sending specially crafted POST requests.

SECURITY-234 / CVE-2015-7539 (Jenkins plugin manager vulnerable to MITM attacks)

While the Jenkins update site data is digitally signed, and the signature verified by Jenkins, Jenkins did not verify the provided SHA-1 checksums for the plugin files referenced in the update site data. This enabled MITM attacks on the plugin manager, resulting in installation of attacker-provided plugins.

Discovery 2015-12-09
Entry 2015-12-09
jenkins

le 1.641

jenkins-lts

le 1.625.3

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09