CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3724 – jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266)
https://notcve.org/view.php?id=CVE-2016-3724
17 May 2016 — Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration. Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados con acceso avanzado a lectura obtener información sensible de contraseña leyendo la configuración de trabajo. OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service solution designed for ... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3725 – jenkins: Regular users can trigger download of update site metadata (SECURITY-273)
https://notcve.org/view.php?id=CVE-2016-3725
17 May 2016 — Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption). Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados desencadenar actualizaciones de metadatos provenientes de portales de actualización aprovechando la falta de comprobación ... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 1CVE-2016-3726 – jenkins: Open redirect to scheme-relative URLs (SECURITY-276)
https://notcve.org/view.php?id=CVE-2016-3726
17 May 2016 — Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs. Múltiples vulnerabilidades de redirección abierta en Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permiten a atacantes remotos redirigir usuarios a sitios web arbitrarios y realizar ataques de phishing a través de vectores no especificados rel... • https://packetstorm.news/files/id/143229 •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3727 – jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281)
https://notcve.org/view.php?id=CVE-2016-3727
17 May 2016 — The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors. La URL API computer/(master)/api/xml en Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 permite a usuarios remotos autenticados con permiso avanzado de lectura para el nodo maestro obtener información sensible sobre la configur... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3721 – jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170)
https://notcve.org/view.php?id=CVE-2016-3721
17 May 2016 — Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables. Jenkins en versiones anteriores a 2.3 y LTS en versiones anteriores a 1.651.2 podría permitir a usuarios remotos autenticados inyectar parámetros de construcción arbitrarios en el entorno de construcción a través de variables del entorno. OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service solution desi... • http://rhn.redhat.com/errata/RHSA-2016-1773.html • CWE-17: DEPRECATED: Code •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2149 – 3: logs from a deleted namespace can be revealed if a new namespace with the same name is created
https://notcve.org/view.php?id=CVE-2016-2149
13 May 2016 — Red Hat OpenShift Enterprise 3.2 allows remote authenticated users to read log files from another namespace by using the same name as a previously deleted namespace when creating a new namespace. Red Hat OpenShift Enterprise 3.2 permite a usuarios remotos autenticados leer archivos de registro de otro espacio de nombre utilizando el mismo nombre que un espacio de nombre que haya sido eliminado cuando se crea un nuevo espacio de nombre. It was found that OpenShift Enterprise would disclose log file contents ... • https://access.redhat.com/errata/RHSA-2016:1064 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2016-2160 – Privilege escalation when changing root password in sti builder image
https://notcve.org/view.php?id=CVE-2016-2160
13 May 2016 — Red Hat OpenShift Enterprise 3.2 and OpenShift Origin allow remote authenticated users to execute commands with root privileges by changing the root password in an sti builder image. Red Hat OpenShift Enterprise 3.2 y OpenShift Origin permiten a usuarios remotos autenticados ejecutar comandos con privilegios de root cambiando la contraseña de root en una imagen builder sti. A flaw was found in the building of containers within OpenShift Enterprise. An attacker could submit an image for building that execute... • https://access.redhat.com/errata/RHSA-2016:1064 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2016-3711 – haproxy: Setting cookie containing internal IP address of a pod
https://notcve.org/view.php?id=CVE-2016-3711
13 May 2016 — HAproxy in Red Hat OpenShift Enterprise 3.2 and OpenShift Origin allows local users to obtain the internal IP address of a pod by reading the "OPENSHIFT_[namespace]_SERVERID" cookie. HAproxy en Red Hat OpenShift Enterprise 3.2 y OpenShift Origin permite a usuarios locales obtener la dirección IP interna de un pod leyendo la cookie "OPENSHIFT_[namespace]_SERVERID". An information disclosure flaw was discovered in haproxy as used by OpenShift Enterprise; a cookie with the name "OPENSHIFT_[namespace]_SERVERID"... • https://access.redhat.com/errata/RHSA-2016:1064 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2142 – openshift: Bind password for AD account is stored in world readable file
https://notcve.org/view.php?id=CVE-2016-2142
12 May 2016 — Red Hat OpenShift Enterprise 3.1 uses world-readable permissions on the /etc/origin/master/master-config.yaml configuration file, which allows local users to obtain Active Directory credentials by reading the file. Red Hat OpenShift Enterprise 3.1 utiliza permisos de lectura para todos en el archivo de configuración /etc/origin/master/master-config.yaml, lo que permite a usuarios locales obtener credenciales del Active Directory leyendo el archivo. An access flaw was discovered in OpenShift; the /etc/origin... • https://access.redhat.com/errata/RHSA-2016:1038 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.0EPSS: 90%CPEs: 3EXPL: 7CVE-2016-0792 – Jenkins < 1.650 - Java Deserialization
https://notcve.org/view.php?id=CVE-2016-0792
07 Apr 2016 — Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando. Múltiples terminales API no especificadas en Jenkins en versiones anteriores a 1.650 y LTS en versiones anteriores a 1.642.2 permiten a usuarios remotos autenticados ejecutar código arbitrario a través de datos serializados en un archivo XML, relacionado con XStream y groovy.util.Expando. O... • https://packetstorm.news/files/id/143523 • CWE-20: Improper Input Validation •