CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2015-5326 – jenkins: Stored XSS vulnerability in slave offline status message (SECURITY-214)
https://notcve.org/view.php?id=CVE-2015-5326
Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message. Vulnerabilidad de XSS en la página de vista general de esclavos en Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permite a usuarios remotos autenticados con ciertos permisos inyectar secuencias de comandos web o HTML arbitrarios a través del mensaje de estado del esclavo fuera de línea. • http://rhn.redhat.com/errata/RHSA-2016-0489.html https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 https://access.redhat.com/security/cve/CVE-2015-5326 https://bugzilla.redhat.com/show_bug.cgi?id=1282369 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 83%CPEs: 4EXPL: 6CVE-2015-8103 – Jenkins CLI RMI Java Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2015-8103
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'". El subsistema Jenkins CLI en Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permite a atacantes remotos ejecutar código arbitrario a través de un objeto Java serializado manipulado, relacionado con una problemática de archivo webapps/ROOT/WEB-INF/lib/commons-collections-*.jar y la 'variante Groovy en 'ysoserial''. • https://www.exploit-db.com/exploits/38983 https://github.com/r00t4dm/Jenkins-CVE-2015-8103 http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html http://rhn.redhat.com/errata/RHSA-2016-0489.html http://www.openwall.com/lists/oss-security/2015/11/09/5 http://www.openwall.com/lists/oss-security/2015/11/18/ • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1806 – jenkins: Combination filter Groovy script unsecured (SECURITY-125)
https://notcve.org/view.php?id=CVE-2015-1806
The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors. La secuencia de comandos del filtro de combinación Groovy en Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 permite a usuarios remotos autenticados con permisos de configuración de trabajo obtener privilegios y ejecutar código arbitrario en el maestro a través de vectores no especificados. It was found that the combination filter Groovy script could allow a remote attacker to potentially execute arbitrary code on a Jenkins master. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205620 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 https://access.redhat.com/security/cve/CVE-2015-1806 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1807 – jenkins: directory traversal from artifacts via symlink (SECURITY-162)
https://notcve.org/view.php?id=CVE-2015-1807
Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts. Vulnerabilidad de salto de directorio en Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 permite a usuarios remotos autenticados con ciertos permisos para leer archivos arbitrarios a través de un enlace simbólico, relacionado con los objetos de construcción. It was found that when building artifacts, the Jenkins server would follow symbolic links, potentially resulting in disclosure of information on the server. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205622 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 https://access.redhat.com/security/cve/CVE-2015-1807 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1808 – jenkins: update center metadata retrieval DoS attack (SECURITY-163)
https://notcve.org/view.php?id=CVE-2015-1808
Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data. Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 permite a usuarios remotos autenticados provocar una denegación de servicio (plug-in indebido e instalación de herramienta) a través del centro de datos actualizado manipulado. A denial of service flaw was found in the way Jenkins handled certain update center data. An authenticated user could provide specially crafted update center data to Jenkins, causing plug-in and tool installation to not work properly. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205623 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 https://access.redhat.com/security/cve/CVE-2015-1808 • CWE-20: Improper Input Validation •