Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-0489.html

https://access.redhat.com/errata/RHSA-2016:0070

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Related Vulnerabilities

CVE-2018-3818 Vulnerability in npm package kibana

CVE-2011-2092 Vulnerability in maven package com.adobe.blazeds:flex-messaging-common

CVE-2022-32532 Vulnerability in maven package org.apache.shiro:shiro-core

CVE-2015-8860 Vulnerability in npm package tar

CVE-2020-35510 Vulnerability in maven package org.jboss.remoting:jboss-remoting

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory