Description

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-1773.html

https://access.redhat.com/errata/RHSA-2016:1206

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

https://www.cloudbees.com/jenkins-security-advisory-2016-05-11

Related Vulnerabilities

CVE-2018-0114 Vulnerability in npm package node-jose

CVE-2012-4458 Vulnerability in maven package org.apache.qpid:qpid-common

CVE-2008-6504 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2009-2901 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2021-21627 Vulnerability in maven package org.jenkins-ci.plugins:libvirt-slave

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory