FreshPorts - VuXML
This page displays vulnerability information about FreeBSD Ports.
The last vuln.xml file processed by FreshPorts is:
List all Vulnerabilities, by package
List all Vulnerabilities, by date
These are the vulnerabilities relating to the commit you have selected:
|3e0507c6-9614-11e3-b3a5-00e0814cab4e||jenkins -- multiple vulnerabilities|
Jenkins Security Advisory reports:
This advisory announces multiple security vulnerabilities that
were found in Jenkins core.
In some places, Jenkins XML API uses XStream to deserialize
arbitrary content, which is affected by CVE-2013-7285 reported
against XStream. This allows malicious users of Jenkins with
a limited set of permissions to execute arbitrary code inside
SECURITY-76 & SECURITY-88 / CVE-2013-5573
Restrictions of HTML tags for user-editable contents are too
lax. This allows malicious users of Jenkins to trick other
unsuspecting users into providing sensitive information.
Plugging a hole in the earlier fix to SECURITY-55. Under some
circimstances, a malicious user of Jenkins can configure job
X to trigger another job Y that the user has no access to.
CLI job creation had a directory traversal vulnerability. This
allows a malicious user of Jenkins with a limited set of
permissions to overwrite files in the Jenkins master and
The embedded Winstone servlet container is susceptive to
session hijacking attack.
The password input control in the password parameter
definition in the Jenkins UI was serving the actual value of
the password in HTML, not an encrypted one. If a sensitive
value is set as the default value of such a parameter
definition, it can be exposed to unintended audience.
Deleting the user was not invalidating the API token,
allowing users to access Jenkins when they shouldn't be
allowed to do so.
Jenkins UI was vulnerable to click jacking attacks.
"Jenkins' own user database" was revealing the
presence/absence of users when login attempts fail.
Jenkins had a cross-site scripting vulnerability in one of its
cookies. If Jenkins is deployed in an environment that allows
an attacker to override Jenkins cookies in victim's browser,
this vulnerability can be exploited.
Jenkins was vulnerable to session fixation attack. If Jenkins
is deployed in an environment that allows an attacker to
override Jenkins cookies in victim's browser, this
vulnerability can be exploited.
Stored XSS vulnerability. A malicious user of Jenkins with a
certain set of permissions can cause Jenkins to store
arbitrary HTML fragment.
Some of the system diagnostic functionalities were checking a
lesser permission than it should have. In a very limited
circumstances, this can cause an attacker to gain information
that he shouldn't have access to.
- SECURITY-106, and SECURITY-80 are rated high. An attacker only
needs direct HTTP access to the server to mount this attack.
- SECURITY-105, SECURITY-109, SECURITY-108, and SECURITY-74 are
rated high. These vulnerabilities allow attackes with valid
Jenkins user accounts to escalate privileges in various ways.
- SECURITY-76, SECURIT-88, and SECURITY-89 are rated medium.
These vulnerabilities requires an attacker to be an user of
Jenkins, and the mode of the attack is limited.
- SECURITY-93, and SECURITY-79 are rated low. These
vulnerabilities only affect a small part of Jenkins and has
- SECURITY-77, SECURITY-75, and SECURITY-73 are rated low. These
vulnerabilities are hard to exploit unless combined with other
exploit in the network.