CVE-2017-1000396
https://notcve.org/view.php?id=CVE-2017-1000396
Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins. Jenkins 2.73.1 y anteriores y 2.83 y anteriores incluía una versión de la biblioteca commons-httpclient con la vulnerabilidad CVE-2012-6153 que verificaba incorrectamente los certificados SSL, volviéndolo susceptible a ataques de Man-in-the-Middle (MitM). Esta biblioteca es ampliamente empleada como dependencia transitiva en los plugins de Jenkins. • https://jenkins.io/security/advisory/2017-10-11 • CWE-295: Improper Certificate Validation •
CVE-2017-1000393
https://notcve.org/view.php?id=CVE-2017-1000393
Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators. Los usuarios de Jenkins 2.73.1 y anteriores y 2.83 y anteriores con permiso para crear o configurar agentes podrían configurar un método de inicio llamado "Launch agent via execution of command on master". Esto les permitía ejecutar comandos shell arbitrarios en el nodo del servidor maestro cada vez que se supone que se iba a iniciar el agente. • https://jenkins.io/security/advisory/2017-10-11 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2017-1000504
https://notcve.org/view.php?id=CVE-2017-1000504
A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. Una condición de carrera durante el inicio de Jenkins 2.94 y anteriores y 2.89.1 y anteriores podría desembocar en un orden incorrecto de ejecución de comandos durante el proceso de inicialización. Hay muy poco espacio de tiempo tras el inicio, durante el cual Jenkins podría no mostrar más el mensaje "Please wait while Jenkins is getting ready to work", pero la protección Cross-Site Request Forgery (CSRF) tal vez no sea efectiva todavía. • https://jenkins.io/security/advisory/2017-12-14 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-17383
https://notcve.org/view.php?id=CVE-2017-17383
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. Jenkins hasta la versión 2.93 permite que administradores remotos no autenticados lleven a cabo ataques de XSS mediante un nombre de herramienta manipulado en un formulario de configuración de trabajos, tal y como demuestra la herramienta JDK en Jenkins core y la herramienta Ant en el plugin Ant. Esto también se conoce como SECURITY-624. • http://vsintelli.com/portal/blog/23-security-advisory-2017-12-04 http://www.securityfocus.com/bid/102130 https://jenkins.io/security/advisory/2017-12-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-1000353 – CloudBees Jenkins 2.32.1 - Java Deserialization
https://notcve.org/view.php?id=CVE-2017-1000353
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default. • https://www.exploit-db.com/exploits/41965 https://github.com/vulhub/CVE-2017-1000353 https://github.com/r00t4dm/Jenkins-CVE-2017-1000353 http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html http://www.securityfocus.com/bid/98056 https://jenkins.io/security/advisory/2017-04-26 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-502: Deserialization of Untrusted Data •