
CVE-2015-5325 – jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)
https://notcve.org/view.php?id=CVE-2015-5325
25 Nov 2015 — Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665. Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permite a atacantes eludir las restricciones slave-to-master destinadas al acceso aprovechando un esclavo JNLP. NOTA: esta vulnerabilidad existe a causa de una solución incompleta para CVE-2014-3665. OpenShift... • http://rhn.redhat.com/errata/RHSA-2016-0489.html • CWE-284: Improper Access Control •

CVE-2015-5324 – jenkins: Queue API did show items not visible to the current user (SECURITY-186)
https://notcve.org/view.php?id=CVE-2015-5324
25 Nov 2015 — Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api. Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permiten a atacantes remotos obtener información sensible a través de petición directa a queue/api. OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service solution designed for on-premise or private cloud deployments. The following security issues are addressed with... • http://rhn.redhat.com/errata/RHSA-2016-0489.html • CWE-264: Permissions, Privileges, and Access Controls •

CVE-2015-5319 – jenkins: XXE injection into job configurations via CLI (SECURITY-173)
https://notcve.org/view.php?id=CVE-2015-5319
25 Nov 2015 — XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job. Vulnerabilidad XXE en el comando create-job en CLI en Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permite a atacantes remotos leer archivos arbitrarios a través de una configuración de trabajo m... • http://rhn.redhat.com/errata/RHSA-2016-0489.html •

CVE-2015-5321 – jenkins: Information disclosure via sidepanel (SECURITY-192)
https://notcve.org/view.php?id=CVE-2015-5321
25 Nov 2015 — The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages. Los widgets de panel lateral en el comando CLI de la páginas de resumen y ayuda en Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permiten a atacantes remotos obtener información sensible a través de una petición directa a las páginas. OpenShift Enterprise by Red Hat is the co... • http://rhn.redhat.com/errata/RHSA-2016-0489.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVE-2015-5323 – jenkins: API tokens of other users available to admins (SECURITY-200)
https://notcve.org/view.php?id=CVE-2015-5323
25 Nov 2015 — Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user. Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 no restringe adecuadamente el acceso a tokens de la API lo que podría permitir a administradores remotos obtener privilegios y ejecutar secuencias de comandos mediante el uso de un token de API de otro usuario. OpenShift Enterpr... • http://rhn.redhat.com/errata/RHSA-2016-0489.html • CWE-264: Permissions, Privileges, and Access Controls •

CVE-2015-1812 – jenkins: Reflective XSS vulnerability (SECURITY-171, SECURITY-177)
https://notcve.org/view.php?id=CVE-2015-1812
01 Oct 2015 — Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813. Vulnerabilidad de XSS en Jenkins en versiones anteriores a 1.606 y LTS en versiones anteriores a 1.596.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados, una vulnerabilidad diferente a CVE-2015-1813. Two cross-site sc... • http://rhn.redhat.com/errata/RHSA-2015-1844.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2015-1810 – jenkins: HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)
https://notcve.org/view.php?id=CVE-2015-1810
01 Oct 2015 — The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name. La clase HudsonPrivateSecurityRealm en Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 no restringe el acceso a nombres reservados cuando usan la configuración "base de datos de usuario propia Jenkins", lo que permite a at... • http://rhn.redhat.com/errata/RHSA-2015-1844.html • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •

CVE-2015-1807 – jenkins: directory traversal from artifacts via symlink (SECURITY-162)
https://notcve.org/view.php?id=CVE-2015-1807
01 Oct 2015 — Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts. Vulnerabilidad de salto de directorio en Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 permite a usuarios remotos autenticados con ciertos permisos para leer archivos arbitrarios a través de un enlace simbólico, relacionado con los objetos de construcción. It was foun... • http://rhn.redhat.com/errata/RHSA-2015-1844.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVE-2015-1814 – jenkins: forced API token change (SECURITY-180)
https://notcve.org/view.php?id=CVE-2015-1814
01 Oct 2015 — The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users. El servicio de emisión de token de API en Jenkins en versiones anteriores a 1.606 y LTS en versiones anteriores a 1.596.2 permite a atacantes remotos obtener privilegios a través de un "cambio forzado de token de API" involucrando a usuarios anónimos. A flaw was found in the Jenkins API token-issuing service. The service was not pr... • http://rhn.redhat.com/errata/RHSA-2015-1844.html • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •

CVE-2015-1808 – jenkins: update center metadata retrieval DoS attack (SECURITY-163)
https://notcve.org/view.php?id=CVE-2015-1808
01 Oct 2015 — Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data. Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 permite a usuarios remotos autenticados provocar una denegación de servicio (plug-in indebido e instalación de herramienta) a través del centro de datos actualizado manipulado. A denial of service flaw was found in the way Jenkins handled certain updat... • http://rhn.redhat.com/errata/RHSA-2015-1844.html • CWE-20: Improper Input Validation •