CVE-2017-2602
https://notcve.org/view.php?id=CVE-2017-2602
jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una lista negra incorrecta de los archivos de metadatos de Pipeline en el subsistema de seguridad de agente-maestro. Esto podría permitir que los archivos de metadatos sean escritos por agentes maliciosos (SECURITY-358). • http://www.securityfocus.com/bid/95952 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2602 https://github.com/jenkinsci/jenkins/commit/414ff7e30aba66bed18c4ee8a8660fb36fc8c655 https://jenkins.io/security/advisory/2017-02-01 • CWE-184: Incomplete List of Disallowed Inputs •
CVE-2017-2604
https://notcve.org/view.php?id=CVE-2017-2604
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371). En Jenkins en versiones anteriores a la 2.44 y 2.32.2, los usuarios de privilegios bajos podían realizar acciones en los monitores administrativos debido a que no estaban protegidos de forma consistente por controles de permisos (SECURITY-371). • http://www.securityfocus.com/bid/95959 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2604 https://github.com/jenkinsci/jenkins/commit/6efcf6c2ac39bc5c59ac7251822be8ddf67ceaf8 https://jenkins.io/security/advisory/2017-02-01 • CWE-287: Improper Authentication CWE-358: Improperly Implemented Security Check for Standard •
CVE-2017-2610
https://notcve.org/view.php?id=CVE-2017-2610
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a Cross-Site Scripting (XSS) persistente en las sugerencias de búsqueda debido al escapado incorrecto de usuarios con los caracteres "menor que" y "mayor que" en sus nombres (SECURITY-388). • http://www.securityfocus.com/bid/95951 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2610 https://github.com/jenkinsci/jenkins/commit/307ed31caba68a46426b8c73a787a05add2c7489 https://jenkins.io/security/advisory/2017-02-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-2608
https://notcve.org/view.php?id=CVE-2017-2608
Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). Jenkins en versiones anteriores a la 2.44 y 2.32.2 es vulnerable a una vulnerabilidad de ejecución remota de código que implica la deserialización de varios tipos en javax.imageio en API basadas en XStream (SECURITY-383). • http://www.securityfocus.com/bid/95953 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2608 https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722 https://jenkins.io/security/advisory/2017-02-01 • CWE-502: Deserialization of Untrusted Data •
CVE-2017-2612
https://notcve.org/view.php?id=CVE-2017-2612
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK. En Jenkins en versiones anteriores a la 2.44 y 2.32.2, usuarios con pocos privilegios fueron capaces de omitir las credenciales de descarga JDK (SECURITY-392), lo que resulta en que las próximas builds no puedan descargar un JDK. • http://www.securityfocus.com/bid/95957 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2612 https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722 https://jenkins.io/security/advisory/2017-02-01 • CWE-358: Improperly Implemented Security Check for Standard CWE-732: Incorrect Permission Assignment for Critical Resource •