FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  318877
Date:      2013-05-23
Time:      15:30:07Z
Committer: flo

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
7fe5b84a-78eb-11e2-8441-00e0814cab4e	jenkins -- multiple vulnerabilities Jenkins Security Advisory reports: This advisory announces multiple security vulnerabilities that were found in Jenkins core. One of the vulnerabilities allows cross-site request forgery (CSRF) attacks on Jenkins master, which causes an user to make unwanted actions on Jenkins. Another vulnerability enables cross-site scripting (XSS) attacks, which has the similar consequence. Another vulnerability allowed an attacker to bypass the CSRF protection mechanism in place, thereby mounting more CSRF attackes. These attacks allow an attacker without direct access to Jenkins to mount an attack. In the fourth vulnerability, a malicious user of Jenkins can trick Jenkins into building jobs that he does not have direct access to. And lastly, a vulnerability allows a malicious user of Jenkins to mount a denial of service attack by feeding a carefully crafted payload to Jenkins. Discovery 2013-02-16 Entry 2013-02-17 jenkins lt 1.501 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
3a65d33b-5950-11e2-b66b-00e0814cab4e	jenkins -- HTTP access to the server to retrieve the master cryptographic key Jenkins Security Advisory reports: This advisory announces a security vulnerability that was found in Jenkins core. An attacker can then use this master cryptographic key to mount remote code execution attack against the Jenkins master, or impersonate arbitrary users in making REST API calls. There are several factors that mitigate some of these problems that may apply to specific installations. The particular attack vector is only applicable on Jenkins instances that have slaves attached to them, and allow anonymous read access. Jenkins allows users to re-generate the API tokens. Those re-generated API tokens cannot be impersonated by the attacker. Discovery 2013-01-04 Entry 2013-01-08 jenkins lt 1.498 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04

VuXML ID

Description

7fe5b84a-78eb-11e2-8441-00e0814cab4e

jenkins -- multiple vulnerabilities

Jenkins Security Advisory reports:

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

One of the vulnerabilities allows cross-site request forgery (CSRF) attacks on Jenkins master, which causes an user to make unwanted actions on Jenkins. Another vulnerability enables cross-site scripting (XSS) attacks, which has the similar consequence. Another vulnerability allowed an attacker to bypass the CSRF protection mechanism in place, thereby mounting more CSRF attackes. These attacks allow an attacker without direct access to Jenkins to mount an attack.

In the fourth vulnerability, a malicious user of Jenkins can trick Jenkins into building jobs that he does not have direct access to.

And lastly, a vulnerability allows a malicious user of Jenkins to mount a denial of service attack by feeding a carefully crafted payload to Jenkins.

Discovery 2013-02-16
Entry 2013-02-17
jenkins

lt 1.501

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16

3a65d33b-5950-11e2-b66b-00e0814cab4e

jenkins -- HTTP access to the server to retrieve the master cryptographic key

Jenkins Security Advisory reports:

This advisory announces a security vulnerability that was found in Jenkins core.

An attacker can then use this master cryptographic key to mount remote code execution attack against the Jenkins master, or impersonate arbitrary users in making REST API calls.

There are several factors that mitigate some of these problems that may apply to specific installations.

The particular attack vector is only applicable on Jenkins instances that have slaves attached to them, and allow anonymous read access.

Jenkins allows users to re-generate the API tokens. Those re-generated API tokens cannot be impersonated by the attacker.

Discovery 2013-01-04
Entry 2013-01-08
jenkins

lt 1.498

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04