Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Remediation

References

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

https://access.redhat.com/errata/RHSA-2016:0070

http://rhn.redhat.com/errata/RHSA-2016-0489.html

Related Vulnerabilities

CVE-2022-36908 Vulnerability in maven package org.jenkins-ci.plugins:openshift-deployer

CVE-2019-10305 Vulnerability in maven package com.xebialabs.xl-deploy:jenkins-dependendencies

CVE-2023-24446 Vulnerability in maven package org.jenkins-ci.plugins:openid

CVE-2021-33604 Vulnerability in maven package com.vaadin:flow-server

CVE-2016-3084 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-login

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory