Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Remediation

References

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

https://access.redhat.com/errata/RHSA-2016:0070

http://rhn.redhat.com/errata/RHSA-2016-0489.html

Related Vulnerabilities

CVE-2021-27578 Vulnerability in maven package org.apache.zeppelin:zeppelin

CVE-2023-28935 Vulnerability in maven package org.apache.uima:uima-ducc-parent

CVE-2018-14042 Vulnerability in maven package org.webjars:bootstrap-sass

CVE-2017-2606 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-24450 Vulnerability in maven package org.jenkins-ci.plugins:view-cloner

Severity

Critical

Classification

CWE-200

Tags

Vendor Advisory