CVSS: 6.8EPSS: 2%CPEs: 2EXPL: 0CVE-2014-3665
https://notcve.org/view.php?id=CVE-2014-3665
Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave. Jenkins en versiones anteriores a 1.587 y LTS en versiones anteriores a 1.580.1 no asegura correctamente la separación de confianza entre un maestro y un esclavo, lo que podría permitir a atacantes remotos ejecutar código arbitrario en el maestro aprovechando el acceso al esclavo. • https://bugzilla.redhat.com/show_bug.cgi?id=1147767 https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30 https://www.cloudbees.com/jenkins-security-advisory-2014-10-30 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2015-5324 – jenkins: Queue API did show items not visible to the current user (SECURITY-186)
https://notcve.org/view.php?id=CVE-2015-5324
Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api. Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permiten a atacantes remotos obtener información sensible a través de petición directa a queue/api. • http://rhn.redhat.com/errata/RHSA-2016-0489.html https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 https://access.redhat.com/security/cve/CVE-2015-5324 https://bugzilla.redhat.com/show_bug.cgi?id=1282367 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 80%CPEs: 4EXPL: 5CVE-2015-8103 – Jenkins CLI - RMI Java Deserialization
https://notcve.org/view.php?id=CVE-2015-8103
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'". El subsistema Jenkins CLI en Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permite a atacantes remotos ejecutar código arbitrario a través de un objeto Java serializado manipulado, relacionado con una problemática de archivo webapps/ROOT/WEB-INF/lib/commons-collections-*.jar y la 'variante Groovy en 'ysoserial''. • https://www.exploit-db.com/exploits/38983 https://github.com/r00t4dm/Jenkins-CVE-2015-8103 http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html http://rhn.redhat.com/errata/RHSA-2016-0489.html http://www.openwall.com/lists/oss-security/2015/11/09/5 http://www.openwall.com/lists/oss-security/2015/11/18/ • CWE-502: Deserialization of Untrusted Data •
CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1808 – jenkins: update center metadata retrieval DoS attack (SECURITY-163)
https://notcve.org/view.php?id=CVE-2015-1808
Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data. Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 permite a usuarios remotos autenticados provocar una denegación de servicio (plug-in indebido e instalación de herramienta) a través del centro de datos actualizado manipulado. A denial of service flaw was found in the way Jenkins handled certain update center data. An authenticated user could provide specially crafted update center data to Jenkins, causing plug-in and tool installation to not work properly. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205623 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 https://access.redhat.com/security/cve/CVE-2015-1808 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1806 – jenkins: Combination filter Groovy script unsecured (SECURITY-125)
https://notcve.org/view.php?id=CVE-2015-1806
The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors. La secuencia de comandos del filtro de combinación Groovy en Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 permite a usuarios remotos autenticados con permisos de configuración de trabajo obtener privilegios y ejecutar código arbitrario en el maestro a través de vectores no especificados. It was found that the combination filter Groovy script could allow a remote attacker to potentially execute arbitrary code on a Jenkins master. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205620 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 https://access.redhat.com/security/cve/CVE-2015-1806 • CWE-264: Permissions, Privileges, and Access Controls •