Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-0489.html

https://access.redhat.com/errata/RHSA-2016:0070

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Related Vulnerabilities

CVE-2017-3159 Vulnerability in maven package org.apache.camel:camel-snakeyaml

CVE-2020-7650 Vulnerability in npm package snyk-broker

CVE-2012-4431 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2018-15685 Vulnerability in maven package org.webjars.npm:electron

CVE-2018-5158 Vulnerability in maven package org.webjars.npm:pdfjs-dist

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory