FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  368515
Date:      2014-09-18
Time:      19:53:09Z
Committer: madpilot

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
d846af5b-00f4-11e2-b6d0-00e0814cab4ejenkins -- multiple vulnerabilities

Jenkins Security Advisory reports:

This advisory announces security vulnerabilities that were found in Jenkins core and several plugins.

  1. The first vulnerability in Jenkins core allows unprivileged users to insert data into Jenkins master, which can lead to remote code execution. For this vulnerability to be exploited, the attacker must have an HTTP access to a Jenkins master, and he must have a read access to Jenkins.
  2. The second vulnerability in Jenkins core is a cross-site scripting vulnerability. This allows an attacker to craft an URL that points to Jenkins, and if a legitimate user clicks this link, and the attacker will be able to hijack the user session.
  3. The third vulnerability is a cross-site scripting vulnerability in the Violations plugin
  4. The fourth vulnerability is a cross-site scripting vulnerability in The Continuous Integration Game plugin

Discovery 2012-09-17
Entry 2012-09-17
jenkins
lt 1.482

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-09-17
9448a82f-6878-11e1-865f-00e0814cab4ejenkins -- XSS vulnerability

Jenkins Security Advisory reports:

An XSS vulnerability was found in Jenkins core, which allows an attacker to inject malicious HTMLs to pages served by Jenkins. This allows an attacker to escalate his privileges by hijacking sessions of other users. This vulnerability affects all versions.


Discovery 2012-03-05
Entry 2012-03-07
jenkins
lt 1.453

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05
9448a82f-6878-11e1-865f-00e0814cab4ejenkins -- XSS vulnerability

Jenkins Security Advisory reports:

An XSS vulnerability was found in Jenkins core, which allows an attacker to inject malicious HTMLs to pages served by Jenkins. This allows an attacker to escalate his privileges by hijacking sessions of other users. This vulnerability affects all versions.


Discovery 2012-03-05
Entry 2012-03-07
jenkins
lt 1.453

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05
622e14b1-b40c-11e2-8441-00e0814cab4ejenkins -- multiple vulnerabilities

Jenkins Security Advisory reports:

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

  1. SECURITY-63 / CVE-2013-2034

    This creates a cross-site request forgery (CSRF) vulnerability on Jenkins master, where an anonymous attacker can trick an administrator to execute arbitrary code on Jenkins master by having him open a specifically crafted attack URL.

    There's also a related vulnerability where the permission check on this ability is done imprecisely, which may affect those who are running Jenkins instances with a custom authorization strategy plugin.

  2. SECURITY-67 / CVE-2013-2033

    This creates a cross-site scripting (XSS) vulnerability, where an attacker with a valid user account on Jenkins can execute JavaScript in the browser of other users, if those users are using certain browsers.

  3. SECURITY-69 / CVE-2013-2034

    This is another CSRF vulnerability that allows an attacker to cause a deployment of binaries to Maven repositories. This vulnerability has the same CVE ID as SEUCRITY-63.

  4. SECURITY-71 / CVE-2013-1808

    This creates a cross-site scripting (XSS) vulnerability.


Discovery 2013-05-02
Entry 2013-05-03
jenkins
lt 1.514

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02
CVE-2013-2034
CVE-2013-2033
CVE-2013-2034
CVE-2013-1808
3a65d33b-5950-11e2-b66b-00e0814cab4ejenkins -- HTTP access to the server to retrieve the master cryptographic key

Jenkins Security Advisory reports:

This advisory announces a security vulnerability that was found in Jenkins core.

An attacker can then use this master cryptographic key to mount remote code execution attack against the Jenkins master, or impersonate arbitrary users in making REST API calls.

There are several factors that mitigate some of these problems that may apply to specific installations.

  • The particular attack vector is only applicable on Jenkins instances that have slaves attached to them, and allow anonymous read access.
  • Jenkins allows users to re-generate the API tokens. Those re-generated API tokens cannot be impersonated by the attacker.

Discovery 2013-01-04
Entry 2013-01-08
jenkins
lt 1.498

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04
7fe5b84a-78eb-11e2-8441-00e0814cab4ejenkins -- multiple vulnerabilities

Jenkins Security Advisory reports:

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

  1. One of the vulnerabilities allows cross-site request forgery (CSRF) attacks on Jenkins master, which causes an user to make unwanted actions on Jenkins. Another vulnerability enables cross-site scripting (XSS) attacks, which has the similar consequence. Another vulnerability allowed an attacker to bypass the CSRF protection mechanism in place, thereby mounting more CSRF attackes. These attacks allow an attacker without direct access to Jenkins to mount an attack.
  2. In the fourth vulnerability, a malicious user of Jenkins can trick Jenkins into building jobs that he does not have direct access to.
  3. And lastly, a vulnerability allows a malicious user of Jenkins to mount a denial of service attack by feeding a carefully crafted payload to Jenkins.

Discovery 2013-02-16
Entry 2013-02-17
jenkins
lt 1.501

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16