Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-0489.html

https://access.redhat.com/errata/RHSA-2016:0070

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Related Vulnerabilities

CVE-2023-41329 Vulnerability in maven package com.github.tomakehurst:wiremock-jre8-standalone

CVE-2023-27987 Vulnerability in maven package org.apache.linkis:linkis-dist

CVE-2022-34794 Vulnerability in maven package org.jenkins-ci.plugins:recipe

CVE-2020-36732 Vulnerability in maven package org.webjars.bower:crypto-js

CVE-2018-1000191 Vulnerability in maven package com.blackducksoftware.integration:blackduck-detect

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory