Jenkins < 1.502 / 1.480.3 and Jenkins Enterprise 1.447.x / 1.466.x / 1.480.x < 1.447.7.1 / 1.466.13.1 / 1.480.3.1 Multiple Vulnerabilities

high Nessus Plugin ID 65056

Synopsis

The remote web server hosts a job scheduling / management system that is affected by multiple vulnerabilities.

Description

The remote web server hosts a version of Jenkins or Jenkins Enterprise that is affected by multiple vulnerabilities :

- An unspecified cross-site scripting vulnerability.
(CVE-2013-0328)

- Multiple unspecified cross-site request forgery vulnerabilities. (CVE-2013-0327, CVE-2013-0329)

- An unspecified denial of service vulnerability.
(CVE-2013-0331)

- An unspecified security bypass vulnerability exists that could allow an attacker to build otherwise restricted jobs. (CVE-2013-0330)

Solution

Upgrade to Jenkins 1.502 / 1.480.3, Jenkins Enterprise 1.447.7.1 / 1.466.13.1 / 1.480.3.1 or later.

See Also

http://www.nessus.org/u?874c7641

http://www.nessus.org/u?02083a79

Plugin Details

Severity: High

ID: 65056

File Name: jenkins_1_502.nasl

Version: 1.18

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 3/6/2013

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2013-0329

Vulnerability Information

CPE: cpe:/a:jenkins:jenkins, cpe:/a:cloudbees:jenkins

Required KB Items: installed_sw/Jenkins

Exploit Ease: No known exploits are available

Patch Publication Date: 2/16/2013

Vulnerability Publication Date: 2/16/2013

Reference Information

CVE: CVE-2013-0327, CVE-2013-0328, CVE-2013-0329, CVE-2013-0330, CVE-2013-0331

BID: 58454, 58456, 58721, 58722, 58726

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990