CVE-2017-1000398
https://notcve.org/view.php?id=CVE-2017-1000398
The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks. La API remota en Jenkins 2.73.1 y anteriores y 2.83 y anteriores en /computer/(agent-name)/api mostraba información sobre tareas (normalmente builds) que se están ejecutando en el agente. Esto incluía información sobre tareas que, de otra forma, no son accesibles para el usuario actual, por ejemplo, debido a la falta de permisos Item/Read. • https://jenkins.io/security/advisory/2017-10-11 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-1000401
https://notcve.org/view.php?id=CVE-2017-1000401
The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged. El control de formularios por defecto en Jenkins 2.73.1 y anteriores y 2.83 y anteriores para contraseñas y otros secretos, , es compatible con validación de formularios (por ejemplo, para claves API). Las peticiones AJAX de validación de formularios se enviaron mediante GET, lo que podría resultar en que los secretos se registren en un log de acceso HTTP en configuraciones que no son por defecto de Jenkins y se pongan a disposición de usuarios con acceso a estos archivos de registro. • https://jenkins.io/security/advisory/2017-10-11 • CWE-20: Improper Input Validation •
CVE-2017-1000400
https://notcve.org/view.php?id=CVE-2017-1000400
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to. La API remota de Jenkins 2.73.1 y anteriores y 2.83 y anteriores en /job/(job-name)/api contenía información sobre los proyectos de subida y bajada. Esto incluía información sobre tareas que, de otra forma, no son accesibles para el usuario actual, por ejemplo, debido a la falta de permisos Item/Read. • https://jenkins.io/security/advisory/2017-10-11 • CWE-862: Missing Authorization •
CVE-2017-1000392
https://notcve.org/view.php?id=CVE-2017-1000392
Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. En Jenkins 2.88 y anteriores y 2.73 y anteriores, las sugerencias de autocompletar para los campos de texto no se escaparon, lo que resulta en una vulnerabilidad de Cross-Site Scripting (XSS) persistente si el origen para las sugerencias permitía especificar texto que incluye metacaracteres como menor que y mayor que. • http://www.securityfocus.com/bid/101773 http://www.securityfocus.com/bid/102826 https://jenkins.io/security/advisory/2017-11-08 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-1000399
https://notcve.org/view.php?id=CVE-2017-1000399
The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to. La API remota de Jenkins 2.73.1 y anteriores y 2.83 y anteriores en /queue/item/(ID)/api mostraba información sobre las tareas en la cola (normalmente, builds esperando iniciarse). Esto incluía información sobre tareas que, de otra forma, no son accesibles para el usuario actual, por ejemplo, debido a la falta de permisos Item/Read. • https://jenkins.io/security/advisory/2017-10-11 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •