Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-0489.html

https://access.redhat.com/errata/RHSA-2016:0070

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Related Vulnerabilities

CVE-2019-10089 Vulnerability in maven package org.apache.jspwiki:jspwiki-war

CVE-2023-43123 Vulnerability in maven package org.apache.storm:storm-server

CVE-2023-41886 Vulnerability in maven package org.openrefine:database

CVE-2017-3159 Vulnerability in maven package org.apache.camel:camel-snakeyaml

CVE-2017-11482 Vulnerability in npm package kibana

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory