The remote web server hosts a version of Jenkins that is prior to 2.44, or a version of Jenkins LTS prior to 2.32.2, or else a version of Jenkins Operations Center that is 1.625.x.y prior to 1.625.22.1, 2.7.x.0.y prior to 2.7.22.0.1, or 2.x.y.x prior to 2.32.2.1, or else a version of Jenkins Enterprise that is 1.651.x.y prior to 1.651.22.1, 2.7.x.0.y prior to 2.7.22.0.1, or 2.x.y.z prior to 2.32.2.1. It is, therefore, affected by the following vulnerabilities :

  - A DOM-based cross-site scripting (XSS) vulnerability     exists in jQuery Core due to improper validation of     certain tags while being rendered using innerHTML. An     unauthenticated, remote attacker can exploit this, via     a specially crafted request, to execute arbitrary script     code in the user's browser session. (CVE-2011-4969)

  - An integer overflow condition exists in jBCrypt in the     key stretching implementation in gensalt, within the     crypt_raw() function, which is triggered when the     'log_rounds' parameter is set to the maximum value (31).
    An unauthenticated, remote attacker can exploit this to     cause log_rounds to perform zero rounds, allowing a     brute-force attack to more easily determine the password     hash. (CVE-2015-0886)

  - A cross-site request forgery vulnerability (XSRF) exists     due to several URLs related to group and role management     not requiring POST form submission. An unauthenticated,     remote attacker can exploit this to create unused roles,     delete unused roles, and set group descriptions. Note     that only Jenkins Enterprise is affected by this issue.
    (CVE-2016-9887)

  - A flaw exists when sensitive data, such as passwords, is     encrypted using AES-128 with electronic codebook mode     (ECB). An authenticated, remote attacker can exploit     this to disclose information about reused passwords.
    (CVE-2017-2598)

  - An unspecified flaw exists that is triggered when     handling new items due to insufficient permission     checks. An authenticated, remote attacker can exploit     this, by using the name of an already existing item, to     create a new item that overwrites the existing item or     to gain access to related objects. (CVE-2017-2599)

  - An information disclosure vulnerability exists due to     improper permissions being set for accessing node     monitor data via the remote API. An authenticated,     remote attacker can exploit this to disclose system     configuration and runtime information. (CVE-2017-2600)

  - A stored cross-site scripting (XSS) vulnerability exists     due to improper validation of input to names and     descriptions fields before returning it to users. An     authenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in a user's browser session. (CVE-2017-2601)

  - A flaw exists in the Agent-to-Master Security Subsystem     because build metadata from the Pipeline suite is not     properly blacklisted. An authenticated, remote attacker     can exploit this to overwrite metadata files.
    (CVE-2017-2602)

  - A flaw exists in the config.xml API when handling     user-initiated agent disconnects, which results in User     objects being included in the agent API output. An     authenticated, remote attacker can exploit this to     disclose sensitive information (e.g., user API tokens).
    (CVE-2017-2603)

  - A flaw exists when handling permissions for     administrative monitors that allows an authenticated,     remote attacker to access certain provided actions.
    (CVE-2017-2604)

  - A flaw exists in the internal API, specifically within     the Jenkins::getItems() function, when requesting a list     of items via UnprotectedRootAction. An authenticated,     remote attacker can exploit this to disclose information     regarding otherwise restricted items. (CVE-2017-2606)

  - A stored cross-site scripting (XSS) vulnerability exists     due to improper validation of input passed via     serialized console notes before returning it to users in     build logs. An authenticated, remote attacker can     exploit this, via a specially crafted request, to     execute arbitrary script code in a user's browser     session. (CVE-2017-2607)

  - A flaw exists in the XStream-based API due to improper     validation of user-supplied input before it is     deserialized. An authenticated, remote attacker can     exploit this, via a specially crafted request, to     execute arbitrary code. (CVE-2017-2608)

  - A flaw exists in the search box implementation due to     the autocompletion feature displaying the names of     restricted views. An authenticated, remote attacker can     exploit this to disclose sensitive names of views.
    (CVE-2017-2609)

  - A stored cross-site scripting (XSS) vulnerability exists     due to improper validation of input passed in user names     before returning it to users. An authenticated, remote     attacker can exploit this, via a specially crafted     request, to execute arbitrary script code in a user's     browser session. (CVE-2017-2610)

  - A flaw exists due to improper validation of permissions     to the /workspaceCleanup and /fingerprintCleanup URLs.
    An authenticated, remote attacker can exploit this to     cause a high load on the master and agents.
    (CVE-2017-2611)

  - A flaw exists due to a failure to properly restrict     access to JDK download credentials. An authenticated,     remote attacker can exploit this to overwrite the     credentials, thereby causing builds to fail.
    (CVE-2017-2612)

  - A cross-site request forgery (XSRF) vulnerability exists     due to a failure by HTTP GET requests to /user to     require multiple steps, explicit confirmation, or a     unique token when performing certain sensitive actions.
    An unauthenticated, remote attacker can exploit this, by     convincing a user to follow a specially crafted link, to     cause the creation of new temporary users.
    (CVE-2017-2613)

  - An information disclosure vulnerability which exists in     its re-key admin monitor component due to world readable     permissions being set on the directory it creates to     store secret information. An unauthenticated, remote     attacker can exploit this to disclose information     contained in this directory.
    (CVE-2017-1000362)

Detections

Analytics

Jenkins < 2.44 / 2.32.x < 2.32.2, Jenkins Operations Center < 1.625.22.1 / 2.7.22.0.1 / 2.32.2.1, and Jenkins Enterprise < 1.651.22.1 / 2.7.22.0.1 / 2.32.2.1 Multiple Vulnerabilities

high Nessus Plugin ID 97609

Version 1.16