Detections
Analytics

FreeBSD : jenkins -- multiple vulnerabilities (7e01df39-db7e-11e5-b937-00e0814cab4e)

high Nessus Plugin ID 88945

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Jenkins Security Advisory : DescriptionSECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module) A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins master process, which allowed arbitrary code execution.
SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability) An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.
SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token) The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods. SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs) The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods. SECURITY-247 / CVE-2016-0792(Remote code execution through remote API) Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?c87d9d2e

http://www.nessus.org/u?c9419a39

Plugin Details

Severity: High

ID: 88945

File Name: freebsd_pkg_7e01df39db7e11e5b93700e0814cab4e.nasl

Version: 2.3

Type: local

Published: 2/25/2016

Updated: 1/4/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:jenkins, p-cpe:/a:freebsd:freebsd:jenkins-lts, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2/25/2016

Vulnerability Publication Date: 2/24/2016