FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

jenkins -- multiple vulnerabilities

Affected packages
jenkins <= 1.605
jenkins-lts <= 1.596.1


VuXML ID 22dc4a22-d1e5-11e4-879c-00e0814cab4e
Discovery 2015-03-23
Entry 2015-03-24

Jenkins Security Advisory:


SECURITY-171, SECURITY-177 (Reflective XSS vulnerability)

An attacker without any access to Jenkins can navigate the user to a carefully crafted URL and have the user execute unintended actions. This vulnerability can be used to attack Jenkins inside firewalls from outside so long as the location of Jenkins is known to the attacker.

SECURITY-180 (forced API token change)

The part of Jenkins that issues a new API token was not adequately protected against anonymous attackers. This allows an attacker to escalate privileges on Jenkins.