FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

jenkins -- multiple vulnerabilities

Affected packages
jenkins <= 2.115
jenkins-lts <= 2.107.1


VuXML ID aaba17aa-782e-4843-8a79-7756cfa2bf89
Discovery 2018-04-11
Entry 2018-04-12

Jenkins developers report:

The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist.

The Jenkins CLI now returns the same error messages to unauthorized users independent of the existence of specified view or agent names

Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items.

JavaScript confirmation dialogs that include the item name now properly escape it, so it can be safely displayed.