Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-0489.html

https://access.redhat.com/errata/RHSA-2016:0070

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Related Vulnerabilities

CVE-2021-39239 Vulnerability in maven package org.apache.jena:jena-core

CVE-2008-5515 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2018-1999007 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2010-3718 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2020-1950 Vulnerability in maven package org.apache.tika:tika-parsers

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory