 |
Inicial ▼ Bookkeeping
Online ▼ Auditorias ▼
DNS
Administrado ▼
Acerca de DNS
Ordenar/Renovar
Preguntas Frecuentes
AUP
Dynamic DNS Clients
Configurar Dominios Dynamic DNS Update Password Monitoreo
de Redes ▼
Enterprise
Avanzado
Estándarr
Prueba
Preguntas Frecuentes
Resumen de Precio/Funciones
Ordenar
Muestras
Configure/Status Alert Profiles | ||
| ID de Prueba: | 1.3.6.1.4.1.25623.1.0.807330 |
| Categoría: | Web application abuses |
| Título: | Jenkins Multiple Vulnerabilities (May 2016) - Linux |
| Resumen: | Jenkins is prone to multiple vulnerabilities. |
| Descripción: | Summary: Jenkins is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - The XML/JSON API endpoints providing information about installed plugins were missing permissions checks, allowing any user with read access to Jenkins to determine which plugins and versions were installed. - The users with extended read access could access encrypted secrets stored directly in the configuration of those items. - A missing permissions check allowed any user with access to Jenkins to trigger an update of update site metadata. This could be combined with DNS cache poisoning to disrupt Jenkins service. - The Some Jenkins URLs did not properly validate the redirect URLs, which allowed malicious users to create URLs that redirect users to arbitrary scheme-relative URLs. - The API URL /computer/(master)/api/xml allowed users with the 'extended read' permission for the master node to see some global Jenkins configuration, including the configuration of the security realm. - By changing the freely editable 'full name', malicious users with multiple user accounts could prevent other users from logging in, as 'full name' was resolved before actual user name to determine which account is currently trying to log in. - An improper validation of build parameters in Jenkins. Vulnerability Impact: Successful exploitation will allow remote attackers to obtain sensitive information, bypass the protection mechanism, gain elevated privileges, bypass intended access restrictions and execute arbitrary code. Affected Software/OS: All Jenkins main line releases up to and including 2.2, All Jenkins LTS releases up to and including 1.651.1. Solution: Jenkins main line users should update to 2.3, Jenkins LTS users should update to 1.651.2. CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N |
| Referencia Cruzada: |
Common Vulnerability Exposure (CVE) ID: CVE-2016-3721 http://www.openwall.com/lists/oss-security/2024/05/02/3 RedHat Security Advisories: RHSA-2016:1206 https://access.redhat.com/errata/RHSA-2016:1206 RedHat Security Advisories: RHSA-2016:1773 http://rhn.redhat.com/errata/RHSA-2016-1773.html Common Vulnerability Exposure (CVE) ID: CVE-2016-3722 Common Vulnerability Exposure (CVE) ID: CVE-2016-3723 Common Vulnerability Exposure (CVE) ID: CVE-2016-3724 Common Vulnerability Exposure (CVE) ID: CVE-2016-3725 Common Vulnerability Exposure (CVE) ID: CVE-2016-3726 Common Vulnerability Exposure (CVE) ID: CVE-2016-3727 |
| Copyright | Copyright (C) 2016 Greenbone AG |
| Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora. |