FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

jenkins -- multiple vulnerabilities

Affected packages
jenkins <= 2.120
jenkins-lts <= 2.107.2


VuXML ID 06ab7724-0fd7-427e-a5ce-fe436302b10c
Discovery 2018-05-09
Entry 2018-05-10

Jenkins developers report:

The agent to master security subsystem ensures that the Jenkins master is protected from maliciously configured agents. A path traversal vulnerability allowed agents to escape whitelisted directories to read and write to files they should not be able to access.

Black Duck Hub Plugin's API endpoint was affected by an XML External Entity (XXE) processing vulnerability. This allowed an attacker with Overall/Read access to have Jenkins parse a maliciously crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.

Several other lower severity issues were reported, see reference url for details.