CVE-2017-17383
https://notcve.org/view.php?id=CVE-2017-17383
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. Jenkins hasta la versión 2.93 permite que administradores remotos no autenticados lleven a cabo ataques de XSS mediante un nombre de herramienta manipulado en un formulario de configuración de trabajos, tal y como demuestra la herramienta JDK en Jenkins core y la herramienta Ant en el plugin Ant. Esto también se conoce como SECURITY-624. • http://vsintelli.com/portal/blog/23-security-advisory-2017-12-04 http://www.securityfocus.com/bid/102130 https://jenkins.io/security/advisory/2017-12-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-9635
https://notcve.org/view.php?id=CVE-2014-9635
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies. Jenkins en versiones anteriores a la 1.586 no establece el indicador "HttpOnly" en un encabezado Set-Cookie para cookies de sesión cuando se ejecuta en Tomcat 7.0.41 o siguientes, lo que facilita que los atacantes remotos obtengan información potencialmente sensible mediante el acceso del script a las cookies. • http://www.openwall.com/lists/oss-security/2015/01/22/3 http://www.securityfocus.com/bid/72054 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682 https://bugzilla.redhat.com/show_bug.cgi?id=1185151 https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710 https://issues.jenkins-ci.org/browse/JENKINS-25019 https://jenkins.io/changelog-old • CWE-254: 7PK - Security Features •
CVE-2014-9634
https://notcve.org/view.php?id=CVE-2014-9634
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session. Jenkins en versiones anteriores a la 1.586 no establece el indicador "secure" cuando se ejecuta en Tomcat 7.0.41 o posterior, lo que facilita que los atacantes remotos capturen cookies interceptando su transmisión en una sesión HTML. • http://www.openwall.com/lists/oss-security/2015/01/22/3 http://www.securityfocus.com/bid/72054 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682 https://bugzilla.redhat.com/show_bug.cgi?id=1185148 https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710 https://issues.jenkins-ci.org/browse/JENKINS-25019 https://jenkins.io/changelog-old • CWE-254: 7PK - Security Features •
CVE-2017-1000362
https://notcve.org/view.php?id=CVE-2017-1000362
The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. • https://jenkins.io/security/advisory/2017-02-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-1000353 – CloudBees Jenkins 2.32.1 - Java Deserialization
https://notcve.org/view.php?id=CVE-2017-1000353
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default. • https://www.exploit-db.com/exploits/41965 https://github.com/vulhub/CVE-2017-1000353 https://github.com/r00t4dm/Jenkins-CVE-2017-1000353 http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html http://www.securityfocus.com/bid/98056 https://jenkins.io/security/advisory/2017-04-26 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-502: Deserialization of Untrusted Data •