CVE-2016-0789 – jenkins: HTTP response splitting vulnerability (SECURITY-238)
https://notcve.org/view.php?id=CVE-2016-0789
CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. Vulnerabilidad de inyección CRLF en la documentación de comando de la CLI en Jenkins en versiones anteriores a 1.650 y LTS en versiones anteriores a 1.642.2 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de separación de respuesta HTTP a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:0711 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 https://access.redhat.com/security/cve/CVE-2016-0789 https://bugzilla.redhat.com/show_bug.cgi?id=1311947 • CWE-20: Improper Input Validation •
CVE-2016-0788 – jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)
https://notcve.org/view.php?id=CVE-2016-0788
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener. El módulo remoting en Jenkins en versiones anteriores a 1.650 y LTS en versiones anteriores a 1.642.2 permite a atacantes remotos ejecutar código arbitrario abriendo un listener JRMP. • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:0711 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 https://access.redhat.com/security/cve/CVE-2016-0788 https://bugzilla.redhat.com/show_bug.cgi?id=1311946 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2015-7538 – jenkins: CSRF protection ineffective (SECURITY-233)
https://notcve.org/view.php?id=CVE-2015-7538
Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors. Jenkins en versiones anteriores a 1.640 y LTS en versiones anteriores a 1.625.2 permite a atacantes remotos eludir el mecanismo de protección CSRF a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2016-0489.html https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09 https://access.redhat.com/security/cve/CVE-2015-7538 https://bugzilla.redhat.com/show_bug.cgi?id=1291797 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2015-7539 – jenkins: Jenkins plugin manager vulnerable to MITM attacks (SECURITY-234)
https://notcve.org/view.php?id=CVE-2015-7539
The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin. The Plugins Manager in Jenkins en versiones anteriores a 1.640 y LTS en versiones anteriores a 1.625.2 no verifica sumas de comprobación para archivos de plugin referenciados en datos del sitio de actualización, lo que facilita a atacantes man-in-the-middle ejecutar código arbitrario a través de un plugin manipulado. • http://rhn.redhat.com/errata/RHSA-2016-0489.html https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09 https://access.redhat.com/security/cve/CVE-2015-7539 https://bugzilla.redhat.com/show_bug.cgi?id=1291798 • CWE-345: Insufficient Verification of Data Authenticity •
CVE-2015-7536
https://notcve.org/view.php?id=CVE-2015-7536
Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts. Vulnerabilidad de XSS en Jenkins en versiones anteriores a 1.640 y LTS en versiones anteriores a 1.625.2 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados relacionados con espacios de trabajo y artefactos archivados. • https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •