Description

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Remediation

References

https://www.cloudbees.com/jenkins-security-advisory-2016-05-11

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

https://access.redhat.com/errata/RHSA-2016:1206

http://rhn.redhat.com/errata/RHSA-2016-1773.html

Related Vulnerabilities

CVE-2020-6426 Vulnerability in npm package electron

CVE-2023-27898 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-31781 Vulnerability in maven package org.apache.tapestry:tapestry-core

CVE-2017-4963 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-server

CVE-2017-17837 Vulnerability in maven package org.apache.deltaspike.modules:jsf-module-project

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory