Page 5 of 60 results (0.014 seconds)

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

CVE-2016-3721 – jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170)

https://notcve.org/view.php?id=CVE-2016-3721

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables. Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 podría permitir a usuarios remotos autenticados inyectar parámetros de construcción arbitrarios en el entorno de construcción a través de variables del entorno. • http://rhn.redhat.com/errata/RHSA-2016-1773.html http://www.openwall.com/lists/oss-security/2024/05/02/3 https://access.redhat.com/errata/RHSA-2016:1206 https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 https://www.cloudbees.com/jenkins-security-advisory-2016-05-11 https://access.redhat.com/security/cve/CVE-2016-3721 https://bugzilla.redhat.com/show_bug.cgi • CWE-17: DEPRECATED: Code •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2016-2142 – openshift: Bind password for AD account is stored in world readable file

https://notcve.org/view.php?id=CVE-2016-2142

Red Hat OpenShift Enterprise 3.1 uses world-readable permissions on the /etc/origin/master/master-config.yaml configuration file, which allows local users to obtain Active Directory credentials by reading the file. Red Hat OpenShift Enterprise 3.1 utiliza permisos de lectura para todos en el archivo de configuración /etc/origin/master/master-config.yaml, lo que permite a usuarios locales obtener credenciales del Active Directory leyendo el archivo. An access flaw was discovered in OpenShift; the /etc/origin/master/master-config.yaml configuration file, which could contain Active Directory credentials, was world-readable. A local user could exploit this flaw to obtain authentication credentials from the master-config.yaml file. • https://access.redhat.com/errata/RHSA-2016:1038 https://access.redhat.com/security/cve/CVE-2016-2142 https://bugzilla.redhat.com/show_bug.cgi?id=1311220 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0

CVE-2016-0791 – jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)

https://notcve.org/view.php?id=CVE-2016-0791

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach. Jenkins en versiones anteriores a 1.650 y LTS en versiones anteriores a 1.642.2 no utiliza un algoritmo de tiempo constante para verificar tokens CSRF, lo que hace más fácil para atacantes remotos eludir el mecanismo de protección CSRF a través de una aproximación por fuerza bruta. • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:0711 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 https://access.redhat.com/security/cve/CVE-2016-0791 https://bugzilla.redhat.com/show_bug.cgi?id=1311949 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 9.0EPSS: 97%CPEs: 3EXPL: 4

CVE-2016-0792 – Jenkins < 1.650 - Java Deserialization

https://notcve.org/view.php?id=CVE-2016-0792

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando. Múltiples terminales API no especificadas en Jenkins en versiones anteriores a 1.650 y LTS en versiones anteriores a 1.642.2 permiten a usuarios remotos autenticados ejecutar código arbitrario a través de datos serializados en un archivo XML, relacionado con XStream y groovy.util.Expando. Jenkins versions prior to 1.650 suffer from a java deserialization vulnerability. • https://www.exploit-db.com/exploits/42394 https://www.exploit-db.com/exploits/43375 https://github.com/Aviksaikat/CVE-2016-0792 http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:0711 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream https://access.redhat.com/security/cve/CVE-2016-0792 https://bugzilla.redhat.com/show_ • CWE-20: Improper Input Validation •

CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0

CVE-2016-0790 – jenkins: Non-constant time comparison of API token (SECURITY-241)

https://notcve.org/view.php?id=CVE-2016-0790

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach. Jenkins en versiones anteriores a 1.650 y LTS en versiones anteriores a 1.642.2 no utiliza un algoritmo de tiempo constante para verificar tokens API, lo que hace más fácil para atacantes remotos determinar tokens API a través de una aproximación por fuerza bruta. • http://rhn.redhat.com/errata/RHSA-2016-1773.html https://access.redhat.com/errata/RHSA-2016:0711 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 https://access.redhat.com/security/cve/CVE-2016-0790 https://bugzilla.redhat.com/show_bug.cgi?id=1311948 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-254: 7PK - Security Features •