Description

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1147767

https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30

https://www.cloudbees.com/jenkins-security-advisory-2014-10-30

Related Vulnerabilities

CVE-2021-21622 Vulnerability in maven package io.jenkins.plugins:artifact-repository-parameter

CVE-2023-4061 Vulnerability in maven package org.wildfly.core:wildfly-controller

CVE-2017-2652 Vulnerability in maven package org.jvnet.hudson.plugins:distfork

CVE-2022-41937 Vulnerability in maven package org.xwiki.platform:xwiki-platform-filter-ui

CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-rest-impl

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory