CVE-2015-5326 – jenkins: Stored XSS vulnerability in slave offline status message (SECURITY-214)
https://notcve.org/view.php?id=CVE-2015-5326
Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message. Vulnerabilidad de XSS en la página de vista general de esclavos en Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permite a usuarios remotos autenticados con ciertos permisos inyectar secuencias de comandos web o HTML arbitrarios a través del mensaje de estado del esclavo fuera de línea. • http://rhn.redhat.com/errata/RHSA-2016-0489.html https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 https://access.redhat.com/security/cve/CVE-2015-5326 https://bugzilla.redhat.com/show_bug.cgi?id=1282369 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5322 – jenkins: Local file inclusion vulnerability (SECURITY-195)
https://notcve.org/view.php?id=CVE-2015-5322
Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/. Vulnerabilidad de salto de directorio en Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permite a atacantes remotos listar el contenido de directorio y leer archivos arbitrarios en los recursos de servlet Jenkins servlet a través de secuencias de salto de directorio en una petición de jnlpJars/. • http://rhn.redhat.com/errata/RHSA-2016-0489.html https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 https://access.redhat.com/security/cve/CVE-2015-5322 https://bugzilla.redhat.com/show_bug.cgi?id=1282365 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2015-5324 – jenkins: Queue API did show items not visible to the current user (SECURITY-186)
https://notcve.org/view.php?id=CVE-2015-5324
Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api. Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permiten a atacantes remotos obtener información sensible a través de petición directa a queue/api. • http://rhn.redhat.com/errata/RHSA-2016-0489.html https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 https://access.redhat.com/security/cve/CVE-2015-5324 https://bugzilla.redhat.com/show_bug.cgi?id=1282367 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2015-5320 – jenkins: Secret key not verified when connecting a slave (SECURITY-184)
https://notcve.org/view.php?id=CVE-2015-5320
Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave. Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 no verifica adecuadamente el secreto compartido utilizado en conexiones esclavo JNLP, lo que permite a atacantes remotos conectar como esclavos y obtener información sensible o posiblemente obtener acceso administrativo aprovechando el conocimiento del nombre de un esclavo. • http://rhn.redhat.com/errata/RHSA-2016-0489.html https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 https://access.redhat.com/security/cve/CVE-2015-5320 https://bugzilla.redhat.com/show_bug.cgi?id=1282363 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2015-5321 – jenkins: Information disclosure via sidepanel (SECURITY-192)
https://notcve.org/view.php?id=CVE-2015-5321
The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages. Los widgets de panel lateral en el comando CLI de la páginas de resumen y ayuda en Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 permiten a atacantes remotos obtener información sensible a través de una petición directa a las páginas. • http://rhn.redhat.com/errata/RHSA-2016-0489.html https://access.redhat.com/errata/RHSA-2016:0070 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 https://access.redhat.com/security/cve/CVE-2015-5321 https://bugzilla.redhat.com/show_bug.cgi?id=1282364 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •