Description

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-1773.html

https://access.redhat.com/errata/RHSA-2016:1206

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

https://www.cloudbees.com/jenkins-security-advisory-2016-05-11

Related Vulnerabilities

CVE-2018-1229 Vulnerability in maven package org.springframework.batch:spring-batch-admin

CVE-2016-4567 Vulnerability in npm package mediaelement

CVE-2018-1000402 Vulnerability in maven package org.jenkins-ci.plugins:codedeploy

CVE-2022-34806 Vulnerability in maven package org.jenkins-ci.plugins:jigomerge

CVE-2019-16555 Vulnerability in maven package com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory