ID de Prueba:	1.3.6.1.4.1.25623.1.0.808267
Categoría:	Web application abuses
Título:	Jenkins Multiple Vulnerabilities (Feb 2014) - Linux
Resumen:	Jenkins is prone to multiple vulnerabilities.
Descripción:	Summary: Jenkins is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - Improper access restriction by 'BuildTrigger'. - Improper session handling by 'Winstone servlet container'. - Error in input control in PasswordParameterDefinition. - Error in handling of API tokens. - Error in 'loadUserByUsername' function in the hudson/security/HudsonPrivateSecurityRealm.java script. - Insufficient validation of user supplied input via iconSize cookie. - Session fixation vulnerability via vectors involving the 'override' of Jenkins cookies. - 'doIndex' function in hudson/util/RemotingDiagnostics.java script does not restrict accessing sensitive information via vectors related to heapDump. - An unspecified vulnerability. Vulnerability Impact: Successful exploitation will allow remote attackers to obtain sensitive information, hijack web sessions, conduct clickjacking attacks, inject arbitrary web script or HTML, bypass the protection mechanism, gain elevated privileges, bypass intended access restrictions and execute arbitrary code. Affected Software/OS: Jenkins main line prior to 1.551, Jenkins LTS prior to 1.532.2. Solution: Jenkins main line users should update to 1.551, Jenkins LTS users should update to 1.532.2. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-2068 http://www.openwall.com/lists/oss-security/2014/02/21/2 Common Vulnerability Exposure (CVE) ID: CVE-2014-2066 Common Vulnerability Exposure (CVE) ID: CVE-2014-2065 Common Vulnerability Exposure (CVE) ID: CVE-2014-2064 Common Vulnerability Exposure (CVE) ID: CVE-2014-2063 Common Vulnerability Exposure (CVE) ID: CVE-2014-2062 Common Vulnerability Exposure (CVE) ID: CVE-2014-2061 Common Vulnerability Exposure (CVE) ID: CVE-2014-2060 Common Vulnerability Exposure (CVE) ID: CVE-2014-2058 Common Vulnerability Exposure (CVE) ID: CVE-2013-7285 https://x-stream.github.io/CVE-2013-7285.html http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html https://www.oracle.com/security-alerts/cpuoct2020.html https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E http://seclists.org/oss-sec/2014/q1/69 https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html Common Vulnerability Exposure (CVE) ID: CVE-2013-5573 BugTraq ID: 64414 http://www.securityfocus.com/bid/64414 Bugtraq: 20131217 [CVE-2013-5573] Jenkins v1.523 Default markup formatter permits offsite-bound forms (Google Search) http://seclists.org/bugtraq/2013/Dec/104 http://www.exploit-db.com/exploits/30408 http://seclists.org/fulldisclosure/2013/Dec/159 http://packetstormsecurity.com/files/124513 http://www.osvdb.org/101187 XForce ISS Database: jenkins-cve20135573-xss(89872) https://exchange.xforce.ibmcloud.com/vulnerabilities/89872
Copyright	Copyright (C) 2016 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.