| VuXML ID | Description |
|---|
| d846af5b-00f4-11e2-b6d0-00e0814cab4e | jenkins -- multiple vulnerabilities
Jenkins Security Advisory reports:
This advisory announces security vulnerabilities that were found
in Jenkins core and several plugins.
- The first vulnerability in Jenkins core allows unprivileged
users to insert data into Jenkins master, which can lead to
remote code execution. For this vulnerability to be exploited,
the attacker must have an HTTP access to a Jenkins master, and
he must have a read access to Jenkins.
- The second vulnerability in Jenkins core is a cross-site
scripting vulnerability. This allows an attacker to craft an URL
that points to Jenkins, and if a legitimate user clicks this link,
and the attacker will be able to hijack the user session.
- The third vulnerability is a cross-site scripting vulnerability
in the Violations plugin
- The fourth vulnerability is a cross-site scripting vulnerability
in The Continuous Integration Game plugin
Discovery 2012-09-17
Entry 2012-09-17
jenkins
lt 1.482
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-09-17
|
| 3a65d33b-5950-11e2-b66b-00e0814cab4e | jenkins -- HTTP access to the server to retrieve the master cryptographic key
Jenkins Security Advisory reports:
This advisory announces a security vulnerability that was found
in Jenkins core.
An attacker can then use this master cryptographic key to mount
remote code execution attack against the Jenkins master, or
impersonate arbitrary users in making REST API calls.
There are several factors that mitigate some of these problems
that may apply to specific installations.
- The particular attack vector is only applicable on Jenkins
instances that have slaves attached to them, and allow
anonymous read access.
- Jenkins allows users to re-generate the API tokens. Those
re-generated API tokens cannot be impersonated by the
attacker.
Discovery 2013-01-04
Entry 2013-01-08
jenkins
lt 1.498
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04
|
| 7fe5b84a-78eb-11e2-8441-00e0814cab4e | jenkins -- multiple vulnerabilities
Jenkins Security Advisory reports:
This advisory announces multiple security vulnerabilities that
were found in Jenkins core.
- One of the vulnerabilities allows cross-site request
forgery (CSRF) attacks on Jenkins master, which causes an user
to make unwanted actions on Jenkins. Another vulnerability
enables cross-site scripting (XSS) attacks, which has the similar
consequence. Another vulnerability allowed an attacker to bypass
the CSRF protection mechanism in place, thereby mounting more CSRF
attackes. These attacks allow an attacker without direct access to
Jenkins to mount an attack.
- In the fourth vulnerability, a malicious user of Jenkins can trick
Jenkins into building jobs that he does not have direct access to.
- And lastly, a vulnerability allows a malicious user of Jenkins to
mount a denial of service attack by feeding a carefully crafted
payload to Jenkins.
Discovery 2013-02-16
Entry 2013-02-17
jenkins
lt 1.501
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
|
| 9448a82f-6878-11e1-865f-00e0814cab4e | jenkins -- XSS vulnerability
Jenkins Security Advisory reports:
An XSS vulnerability was found in Jenkins core, which allows an
attacker to inject malicious HTMLs to pages served by Jenkins.
This allows an attacker to escalate his privileges by hijacking
sessions of other users. This vulnerability affects all
versions.
Discovery 2012-03-05
Entry 2012-03-07
jenkins
lt 1.453
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05
|
| 9448a82f-6878-11e1-865f-00e0814cab4e | jenkins -- XSS vulnerability
Jenkins Security Advisory reports:
An XSS vulnerability was found in Jenkins core, which allows an
attacker to inject malicious HTMLs to pages served by Jenkins.
This allows an attacker to escalate his privileges by hijacking
sessions of other users. This vulnerability affects all
versions.
Discovery 2012-03-05
Entry 2012-03-07
jenkins
lt 1.453
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05
|