Description

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Remediation

References

CVE-2016-3725

Related Vulnerabilities

LimeSurvey Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-16178)

MyBB Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-9403)

WordPress Plugin Nmedia WordPress Member Conversation 'doupload.php' Arbitrary File Upload (1.3)

WordPress Plugin W3 Total Cache Arbitrary File Disclosure (0.9.3)

WordPress Plugin Link Library Cross-Site Scripting (5.9.12.29)

Severity

Medium

Classification

CVE-2016-3725 CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities