CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1000068
https://notcve.org/view.php?id=CVE-2018-1000068
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system. En el servicio KeyStore, hay una omisión de permisos que permite el acceso a recursos protegidos. Esto podría llevar a un escalado de privilegios local sin necesitar privilegios de ejecución del sistema. No se necesita interacción del usuario para explotarlo. Producto: Android. • http://www.securityfocus.com/bid/103101 https://jenkins.io/security/advisory/2018-02-14/#SECURITY-717 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 97%CPEs: 3EXPL: 3CVE-2017-1000353 – CloudBees Jenkins 2.32.1 - Java Deserialization
https://notcve.org/view.php?id=CVE-2017-1000353
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default. • https://www.exploit-db.com/exploits/41965 https://github.com/vulhub/CVE-2017-1000353 https://github.com/r00t4dm/Jenkins-CVE-2017-1000353 http://packetstormsecurity.com/files/159266/Jenkins-2.56-CLI-Deserialization-Code-Execution.html http://www.securityfocus.com/bid/98056 https://jenkins.io/security/advisory/2017-04-26 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-502: Deserialization of Untrusted Data •