Page 34 of 237 results (0.021 seconds)

CVSS: 9.8EPSS: 97%CPEs: 3EXPL: 3

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default. • https://www.exploit-db.com/exploits/41965 https://github.com/vulhub/CVE-2017-1000353 https://github.com/r00t4dm/Jenkins-CVE-2017-1000353 http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html http://www.securityfocus.com/bid/98056 https://jenkins.io/security/advisory/2017-04-26 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 94%CPEs: 3EXPL: 2

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. El módulo remoting en Jenkins en versiones anteriores a 2.32 y LTS en versiones anteriores a 2.19.3 permite a atacantes remotos ejecutar código arbitrario a través de un objeto Java serializado, lo que desencadena una consulta LDAP a un servidor de terceros. • https://www.exploit-db.com/exploits/44642 https://github.com/r00t4dm/Jenkins-CVE-2016-9299 http://www.openwall.com/lists/oss-security/2016/11/12/4 http://www.openwall.com/lists/oss-security/2016/11/14/9 http://www.securityfocus.com/bid/94281 http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition https://groups.google.com/forum/#%21original/jenkinsci-advisories/-fc-w9tNEJE/GRvEzWoJBgAJ https://groups.google.com/forum/# • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •

CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption). Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados desencadenar actualizaciones de metadatos provenientes de portales de actualización aprovechando la falta de comprobación de permisos. NOTA: este problema puede darse en combinación con el envenenamiento de la caché DNS para provocar una denegación de servicio (interrupción de servicio). • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:1206 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 https://www.cloudbees.com/jenkins-security-advisory-2016-05-11 https://access.redhat.com/security/cve/CVE-2016-3725 https://bugzilla.redhat.com/show_bug.cgi?id=1335420 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name." Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permiten a usuarios remotos autenticados con múltiples cuentas provocar una denegación de servicio (sin posibilidad de acceso) editando el "full name". • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:1206 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 https://www.cloudbees.com/jenkins-security-advisory-2016-05-11 https://access.redhat.com/security/cve/CVE-2016-3722 https://bugzilla.redhat.com/show_bug.cgi?id=1335416 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs. Múltiples vulnerabilidades de redirección abierta en Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permiten a atacantes remotos redirigir usuarios a sitios web arbitrarios y realizar ataques de phishing a través de vectores no especificados relacionados con URLs "scheme-relative". DoorGets CMS version 7.0 suffers from an open redirect vulnerability. • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:1206 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 https://www.cloudbees.com/jenkins-security-advisory-2016-05-11 https://access.redhat.com/security/cve/CVE-2016-3726 https://bugzilla.redhat.com/show_bug.cgi?id=1335421 •