Page 34 of 236 results (0.005 seconds)

CVSS: 9.8EPSS: 63%CPEs: 3EXPL: 3

CVE-2016-9299 – Jenkins CLI HTTP Java Deserialization Vulnerability

https://notcve.org/view.php?id=CVE-2016-9299

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. El módulo remoting en Jenkins en versiones anteriores a 2.32 y LTS en versiones anteriores a 2.19.3 permite a atacantes remotos ejecutar código arbitrario a través de un objeto Java serializado, lo que desencadena una consulta LDAP a un servidor de terceros. • https://www.exploit-db.com/exploits/44642 https://github.com/r00t4dm/Jenkins-CVE-2016-9299 http://www.openwall.com/lists/oss-security/2016/11/12/4 http://www.openwall.com/lists/oss-security/2016/11/14/9 http://www.securityfocus.com/bid/94281 http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition https://groups.google.com/forum/#%21original/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ https://groups.google.com/forum/# • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0

CVE-2016-3722 – jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243)

https://notcve.org/view.php?id=CVE-2016-3722

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name." Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permiten a usuarios remotos autenticados con múltiples cuentas provocar una denegación de servicio (sin posibilidad de acceso) editando el "full name". • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:1206 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 https://www.cloudbees.com/jenkins-security-advisory-2016-05-11 https://access.redhat.com/security/cve/CVE-2016-3722 https://bugzilla.redhat.com/show_bug.cgi?id=1335416 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0

CVE-2016-3723 – jenkins: Information on installed plugins exposed via API (SECURITY-250)

https://notcve.org/view.php?id=CVE-2016-3723

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints. Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados con acceso a lectura obtener información sensible de instalación de plugin aprovechando la falta de comprobaciones de permisos en dispositivos XML/JSON API no especificados. • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:1206 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 https://www.cloudbees.com/jenkins-security-advisory-2016-05-11 https://access.redhat.com/security/cve/CVE-2016-3723 https://bugzilla.redhat.com/show_bug.cgi?id=1335417 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

CVE-2016-3724 – jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266)

https://notcve.org/view.php?id=CVE-2016-3724

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration. Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados con acceso avanzado a lectura obtener información sensible de contraseña leyendo la configuración de trabajo. • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:1206 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 https://www.cloudbees.com/jenkins-security-advisory-2016-05-11 https://access.redhat.com/security/cve/CVE-2016-3724 https://bugzilla.redhat.com/show_bug.cgi?id=1335418 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0

CVE-2016-3725 – jenkins: Regular users can trigger download of update site metadata (SECURITY-273)

https://notcve.org/view.php?id=CVE-2016-3725

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption). Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados desencadenar actualizaciones de metadatos provenientes de portales de actualización aprovechando la falta de comprobación de permisos. NOTA: este problema puede darse en combinación con el envenenamiento de la caché DNS para provocar una denegación de servicio (interrupción de servicio). • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:1206 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 https://www.cloudbees.com/jenkins-security-advisory-2016-05-11 https://access.redhat.com/security/cve/CVE-2016-3725 https://bugzilla.redhat.com/show_bug.cgi?id=1335420 • CWE-264: Permissions, Privileges, and Access Controls •