CVSS: 4.6EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1810 – jenkins: HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)
https://notcve.org/view.php?id=CVE-2015-1810
The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name. La clase HudsonPrivateSecurityRealm en Jenkins en versiones anteriores a 1.600 y LTS en versiones anteriores a 1.596.1 no restringe el acceso a nombres reservados cuando usan la configuración "base de datos de usuario propia Jenkins", lo que permite a atacantes remotos obtener privilegios creando un nombre reservado. It was discovered that the internal Jenkins user database did not restrict access to reserved names, allowing users to escalate privileges. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205627 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 https://access.redhat.com/security/cve/CVE-2015-1810 • CWE-20: Improper Input Validation CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1813 – jenkins: Reflective XSS vulnerability (SECURITY-171, SECURITY-177)
https://notcve.org/view.php?id=CVE-2015-1813
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812. Vulnerabilidad de XSS en Jenkins en versiones anteriores a 1.606 y LTS en versiones anteriores a 1.596.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados, una vulnerabilidad diferente a CVE-2015-1812. Two cross-site scripting (XSS) flaws were found in Jenkins. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Jenkins. • http://rhn.redhat.com/errata/RHSA-2015-1844.html https://access.redhat.com/errata/RHSA-2016:0070 https://bugzilla.redhat.com/show_bug.cgi?id=1205615 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 https://access.redhat.com/security/cve/CVE-2015-1813 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2064
https://notcve.org/view.php?id=CVE-2014-2064
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts. La función loadUserByUsername en hudson/security/HudsonPrivateSecurityRealm.java en Jenkins en versiones anteriores a 1.551 y LTS en versiones anteriores a 1.532.2 permite a atacantes remotos determinar si existe un usuario relacionado con los intentos de acceso fallidos. • http://www.openwall.com/lists/oss-security/2014/02/21/2 https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2066
https://notcve.org/view.php?id=CVE-2014-2066
Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies. Vulnerabilidad de fijación de sesión en Jenkins en versiones anteriores a 1.551 y LTS en versiones anteriores a 1.532.2 permite a atacantes remotos secuestrar sesiones web a través de vectores implicando las cookies "override" de Jenkins. • http://www.openwall.com/lists/oss-security/2014/02/21/2 https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14 • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2062
https://notcve.org/view.php?id=CVE-2014-2062
Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token. Jenkins en versiones anteriores a 1.551 y LTS en versiones anteriores a 1.532.2 no invalida el token de la API cuando es eliminado un usuario, lo que permite a usuarios remotos autenticados conservar el acceso a través del token. • http://www.openwall.com/lists/oss-security/2014/02/21/2 https://github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14 • CWE-287: Improper Authentication •