Jenkins Multiple Input Validation Security Vulnerabilities

Jenkins is prone to the following vulnerabilities:

1. Multiple security-bypass vulnerabilities
2. Multiple cross-site scripting vulnerabilities
3. Multiple cross-site request forgery vulnerabilities
4. Multiple information disclosure vulnerabilities
5. Multiple security weaknesses
6. A clickjacking vulnerability
7. A session fixation vulnerability

An attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, hijack an arbitrary session, perform certain administrative actions and gain unauthorized access to the affected application, or cause denial-of-service condition. This may aid in further attacks.

The following product versions are vulnerable:

Active Directory Plugin version 2.10 and prior are vulnerable
Blue Ocean Plugin version 1.10.1 and prior are vulnerable
Config File Provider Plugin version 3.4.1 and prior are vulnerable
Git Plugin version 3.9.1 and prior are vulnerable
GitHub Authentication Plugin version 0.29 and prior are vulnerable
Groovy Plugin version 2.0 and prior are vulnerable
Job Import Plugin version 2.1 and prior are vulnerable
Job Import Plugin version 3.0 and prior are vulnerable
Kanboard Plugin version 1.5.10 and prior are vulnerable
Monitoring Plugin version 1.74.0 and prior are vulnerable
OpenId Connect Authentication Plugin version 1.4 and prior are vulnerable
Script Security Plugin version 1.50 and prior are vulnerable
Token Macro Plugin version 2.5 and prior are vulnerable
Warnings Plugin version 5.0.0 and prior are vulnerable
Warnings Next Generation Plugin version 1.0.1, 2.1.1 and prior are vulnerable


 

Privacy Statement
Copyright 2010, SecurityFocus