AVG-738

Package jenkins
Status Fixed
Severity High
Type multiple issues
Affected 2.132-1
Fixed 2.133-1
Current 2.168-1 [community]
Ticket None
Created Fri Jul 20 08:19:14 2018
Issue Severity Remote Type Description
CVE-2018-1999007 Medium Yes Cross-site scripting
Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information....
CVE-2018-1999006 Medium Yes Information disclosure
Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory were accessible via HTTP by users...
CVE-2018-1999005 Medium Yes Cross-site scripting
The build timeline widget shown on URLs like /view/…/builds in Jenkins before 2.133 did not properly escape display names of items. This resulted in a...
CVE-2018-1999004 Medium Yes Access restriction bypass
The URL that initiates agent launches on the Jenkins master before 2.133 did not perform a permission check, allowing users with Overall/Read permission to...
CVE-2018-1999003 Medium Yes Access restriction bypass
The URLs handling cancellation of queued builds in Jenkins before 2.133 did not perform a permission check, allowing users with Overall/Read permission to...
CVE-2018-1999002 High Yes Arbitrary filesystem access
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins before 2.133 allowed unauthenticated users to send crafted HTTP requests...
CVE-2018-1999001 High Yes Access restriction bypass
Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins before 2.133 to move the config.xml file from the Jenkins home...
Date Advisory Package Description
21 Jul 2018 ASA-201807-14 jenkins multiple issues
References
https://jenkins.io/security/advisory/2018-07-18/