CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1814 – jenkins: forced API token change (SECURITY-180)
https://notcve.org/view.php?id=CVE-2015-1814
The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users. El servicio de emisión de token de API en Jenkins en versiones anteriores a 1.606 y LTS en versiones anteriores a 1.596.2 permite a atacantes remotos obtener privilegios a través de un "cambio forzado de token de API" involucrando a usuarios anónimos. A flaw was found in the Jenkins API token-issuing service. The service was not properly protected against anonymous users, potentially allowing remote attackers to escalate privileges. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205616 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 https://access.redhat.com/security/cve/CVE-2015-1814 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2068
https://notcve.org/view.php?id=CVE-2014-2068
The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump. La función doIndex en hudson/util/RemotingDiagnostics.java de CloudBees Jenkins anterior a 1.551 y LTS anterior a 1.532.2 permite a usuarios remotos autenticados con el permiso ADMINISTER obtener infomación sensible a través de vectores relacionados con heapDump. • http://www.openwall.com/lists/oss-security/2014/02/21/2 https://github.com/jenkinsci/jenkins/commit/0530a6645aac10fec005614211660e98db44b5eb https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2058
https://notcve.org/view.php?id=CVE-2014-2058
BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330. BuildTrigger en Jenkins en versiones anteriores a 1.551 y LTS en versiones anteriores a 1.532.2 permite a usuarios remotos autenticados eludir las restricciones de acceso y ejecutar trabajos arbitrarios configurando un trabajo para desencadenar otro trabajo. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2013-7330. • http://www.openwall.com/lists/oss-security/2014/02/21/2 https://github.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2063
https://notcve.org/view.php?id=CVE-2014-2063
Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors. Jenkins en versiones anteriores a 1.551 y LTS en versiones anteriores a 1.532.2 permite a atacantes remotos llevar a cabo ataques de secuestro de clic a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2014/02/21/2 https://github.com/jenkinsci/jenkins/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14 •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2064
https://notcve.org/view.php?id=CVE-2014-2064
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts. La función loadUserByUsername en hudson/security/HudsonPrivateSecurityRealm.java en Jenkins en versiones anteriores a 1.551 y LTS en versiones anteriores a 1.532.2 permite a atacantes remotos determinar si existe un usuario relacionado con los intentos de acceso fallidos. • http://www.openwall.com/lists/oss-security/2014/02/21/2 https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •