Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-0489.html

https://access.redhat.com/errata/RHSA-2016:0070

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Related Vulnerabilities

CVE-2020-9488 Vulnerability in maven package org.apache.logging.log4j:log4j-core

CVE-2022-23302 Vulnerability in maven package log4j:log4j

CVE-2022-1274 Vulnerability in maven package org.keycloak:keycloak-themes

CVE-2021-21615 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2018-20677 Vulnerability in npm package bootstrap

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory