FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  375358
Date:      2014-12-23
Time:      21:24:55Z
Committer: rea

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
7fe5b84a-78eb-11e2-8441-00e0814cab4ejenkins -- multiple vulnerabilities

Jenkins Security Advisory reports:

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

  1. One of the vulnerabilities allows cross-site request forgery (CSRF) attacks on Jenkins master, which causes an user to make unwanted actions on Jenkins. Another vulnerability enables cross-site scripting (XSS) attacks, which has the similar consequence. Another vulnerability allowed an attacker to bypass the CSRF protection mechanism in place, thereby mounting more CSRF attackes. These attacks allow an attacker without direct access to Jenkins to mount an attack.
  2. In the fourth vulnerability, a malicious user of Jenkins can trick Jenkins into building jobs that he does not have direct access to.
  3. And lastly, a vulnerability allows a malicious user of Jenkins to mount a denial of service attack by feeding a carefully crafted payload to Jenkins.

Discovery 2013-02-16
Entry 2013-02-17
jenkins
lt 1.501

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
3a65d33b-5950-11e2-b66b-00e0814cab4ejenkins -- HTTP access to the server to retrieve the master cryptographic key

Jenkins Security Advisory reports:

This advisory announces a security vulnerability that was found in Jenkins core.

An attacker can then use this master cryptographic key to mount remote code execution attack against the Jenkins master, or impersonate arbitrary users in making REST API calls.

There are several factors that mitigate some of these problems that may apply to specific installations.

  • The particular attack vector is only applicable on Jenkins instances that have slaves attached to them, and allow anonymous read access.
  • Jenkins allows users to re-generate the API tokens. Those re-generated API tokens cannot be impersonated by the attacker.

Discovery 2013-01-04
Entry 2013-01-08
jenkins
lt 1.498

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04
622e14b1-b40c-11e2-8441-00e0814cab4ejenkins -- multiple vulnerabilities

Jenkins Security Advisory reports:

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

  1. SECURITY-63 / CVE-2013-2034

    This creates a cross-site request forgery (CSRF) vulnerability on Jenkins master, where an anonymous attacker can trick an administrator to execute arbitrary code on Jenkins master by having him open a specifically crafted attack URL.

    There's also a related vulnerability where the permission check on this ability is done imprecisely, which may affect those who are running Jenkins instances with a custom authorization strategy plugin.

  2. SECURITY-67 / CVE-2013-2033

    This creates a cross-site scripting (XSS) vulnerability, where an attacker with a valid user account on Jenkins can execute JavaScript in the browser of other users, if those users are using certain browsers.

  3. SECURITY-69 / CVE-2013-2034

    This is another CSRF vulnerability that allows an attacker to cause a deployment of binaries to Maven repositories. This vulnerability has the same CVE ID as SEUCRITY-63.

  4. SECURITY-71 / CVE-2013-1808

    This creates a cross-site scripting (XSS) vulnerability.


Discovery 2013-05-02
Entry 2013-05-03
jenkins
lt 1.514

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02
CVE-2013-2034
CVE-2013-2033
CVE-2013-2034
CVE-2013-1808
3e0507c6-9614-11e3-b3a5-00e0814cab4ejenkins -- multiple vulnerabilities

Jenkins Security Advisory reports:

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

  1. iSECURITY-105

    In some places, Jenkins XML API uses XStream to deserialize arbitrary content, which is affected by CVE-2013-7285 reported against XStream. This allows malicious users of Jenkins with a limited set of permissions to execute arbitrary code inside Jenkins master.

  2. SECURITY-76 & SECURITY-88 / CVE-2013-5573

    Restrictions of HTML tags for user-editable contents are too lax. This allows malicious users of Jenkins to trick other unsuspecting users into providing sensitive information.

  3. SECURITY-109

    Plugging a hole in the earlier fix to SECURITY-55. Under some circimstances, a malicious user of Jenkins can configure job X to trigger another job Y that the user has no access to.

  4. SECURITY-108

    CLI job creation had a directory traversal vulnerability. This allows a malicious user of Jenkins with a limited set of permissions to overwrite files in the Jenkins master and escalate privileges.

  5. SECURITY-106

    The embedded Winstone servlet container is susceptive to session hijacking attack.

  6. SECURITY-93

    The password input control in the password parameter definition in the Jenkins UI was serving the actual value of the password in HTML, not an encrypted one. If a sensitive value is set as the default value of such a parameter definition, it can be exposed to unintended audience.

  7. SECURITY-89

    Deleting the user was not invalidating the API token, allowing users to access Jenkins when they shouldn't be allowed to do so.

  8. SECURITY-80

    Jenkins UI was vulnerable to click jacking attacks.

  9. SECURITY-79

    "Jenkins' own user database" was revealing the presence/absence of users when login attempts fail.

  10. SECURITY-77

    Jenkins had a cross-site scripting vulnerability in one of its cookies. If Jenkins is deployed in an environment that allows an attacker to override Jenkins cookies in victim's browser, this vulnerability can be exploited.

  11. SECURITY-75

    Jenkins was vulnerable to session fixation attack. If Jenkins is deployed in an environment that allows an attacker to override Jenkins cookies in victim's browser, this vulnerability can be exploited.

  12. SECURITY-74

    Stored XSS vulnerability. A malicious user of Jenkins with a certain set of permissions can cause Jenkins to store arbitrary HTML fragment.

  13. SECURITY-73

    Some of the system diagnostic functionalities were checking a lesser permission than it should have. In a very limited circumstances, this can cause an attacker to gain information that he shouldn't have access to.

Severity

  1. SECURITY-106, and SECURITY-80 are rated high. An attacker only needs direct HTTP access to the server to mount this attack.
  2. SECURITY-105, SECURITY-109, SECURITY-108, and SECURITY-74 are rated high. These vulnerabilities allow attackes with valid Jenkins user accounts to escalate privileges in various ways.
  3. SECURITY-76, SECURIT-88, and SECURITY-89 are rated medium. These vulnerabilities requires an attacker to be an user of Jenkins, and the mode of the attack is limited.
  4. SECURITY-93, and SECURITY-79 are rated low. These vulnerabilities only affect a small part of Jenkins and has limited impact.
  5. SECURITY-77, SECURITY-75, and SECURITY-73 are rated low. These vulnerabilities are hard to exploit unless combined with other exploit in the network.

Discovery 2014-02-14
Entry 2014-02-15
jenkins
lt 1.551

jenkins-lts
lt 1.532.2

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
CVE-2013-5573
CVE-2013-7285