Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2014-3665 (GCVE-0-2014-3665)
Vulnerability from cvelistv5
Published
2015-11-25 20:00
Modified
2024-08-06 10:50
Severity ?
EPSS score ?
Summary
Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T10:50:18.303Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.cloudbees.com/jenkins-security-advisory-2014-10-30", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-10-30T00:00:00", descriptions: [ { lang: "en", value: "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2016-06-09T16:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.cloudbees.com/jenkins-security-advisory-2014-10-30", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2014-3665", datePublished: "2015-11-25T20:00:00", dateReserved: "2014-05-14T00:00:00", dateUpdated: "2024-08-06T10:50:18.303Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.586\", \"matchCriteriaId\": \"90230A3F-36A2-45C9-A506-31CC896ABE21\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\", \"versionEndIncluding\": \"1.565.3\", \"matchCriteriaId\": \"A50FA41C-BF02-4D87-B1DA-7F3EE6E9C367\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.\"}, {\"lang\": \"es\", \"value\": \"Jenkins en versiones anteriores a 1.587 y LTS en versiones anteriores a 1.580.1 no asegura correctamente la separaci\\u00f3n de confianza entre un maestro y un esclavo, lo que podr\\u00eda permitir a atacantes remotos ejecutar c\\u00f3digo arbitrario en el maestro aprovechando el acceso al esclavo.\"}]", id: "CVE-2014-3665", lastModified: "2024-11-21T02:08:36.503", metrics: "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2015-11-25T20:59:00.190", references: "[{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1147767\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.cloudbees.com/jenkins-security-advisory-2014-10-30\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1147767\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.cloudbees.com/jenkins-security-advisory-2014-10-30\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]", sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2014-3665\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-11-25T20:59:00.190\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.\"},{\"lang\":\"es\",\"value\":\"Jenkins en versiones anteriores a 1.587 y LTS en versiones anteriores a 1.580.1 no asegura correctamente la separación de confianza entre un maestro y un esclavo, lo que podría permitir a atacantes remotos ejecutar código arbitrario en el maestro aprovechando el acceso al esclavo.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.586\",\"matchCriteriaId\":\"90230A3F-36A2-45C9-A506-31CC896ABE21\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\",\"versionEndIncluding\":\"1.565.3\",\"matchCriteriaId\":\"A50FA41C-BF02-4D87-B1DA-7F3EE6E9C367\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1147767\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cloudbees.com/jenkins-security-advisory-2014-10-30\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1147767\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cloudbees.com/jenkins-security-advisory-2014-10-30\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}", }, }
rhba-2014_1630
Vulnerability from csaf_redhat
Published
2014-10-14 13:01
Modified
2024-11-22 08:36
Summary
Red Hat Bug Fix Advisory: Red Hat OpenShift Enterprise 2.1 jenkins-plugin-openshift bug fix update
Notes
Topic
Updated jenkins-plugin-openshift and openshift-origin-cartridge-jenkins packages that fix a bug are now available for Red Hat OpenShift Enterprise 2.1.
Details
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud
deployments.
This update fixes the following bug:
* Changes to the httpd and mod_ssl packages in Red Hat Enterprise Linux 6.6
caused certain ciphers' key sizes offered during TLS/SSL handshaking to be
larger than the same ciphers' key sizes in previous versions. These larger key
sizes are not supported by the current release of openjdk-1.7.0 and cause an
exception during TLS/SSL handshaking. On OpenShift Enterprise deployments which
had been updated to Red Hat Enterprise Linux 6.6, Jenkins builds failed because
the Jenkins plug-in could not negotiate an SSL connection with the broker REST
API endpoint.
If an updated OpenJDK package newer than java-1.7.0-openjdk-1.7.0.65-2.5.1.2 is
available, then the openjdk-1.7.0 package must be updated. On systems where the
update is either unavailable or otherwise cannot be installed, this bug fix
provides the updated Jenkins cartridge and dependencies to allow the problematic
cipher to be disabled. Users can take advantage of this by checking out the
Jenkins gear repository and adding the "disable_bad_ciphers_yes" marker file. As
a result, Jenkins builds work as before. It is important to note that disabling
the problematic cipher degrades the security of the REST API connections from
the Jenkins gear, and as soon as possible the OpenJDK package must be updated
and the marker file removed from all active Jenkins gears. (BZ#1127667)
All OpenShift Enterprise users are advised to upgrade to these updated packages.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Updated jenkins-plugin-openshift and openshift-origin-cartridge-jenkins packages that fix a bug are now available for Red Hat OpenShift Enterprise 2.1.", title: "Topic", }, { category: "general", text: "OpenShift Enterprise by Red Hat is the company's cloud computing\nPlatform-as-a-Service (PaaS) solution designed for on-premise or private cloud\ndeployments.\n\nThis update fixes the following bug: \n\n* Changes to the httpd and mod_ssl packages in Red Hat Enterprise Linux 6.6\ncaused certain ciphers' key sizes offered during TLS/SSL handshaking to be\nlarger than the same ciphers' key sizes in previous versions. These larger key\nsizes are not supported by the current release of openjdk-1.7.0 and cause an\nexception during TLS/SSL handshaking. On OpenShift Enterprise deployments which\nhad been updated to Red Hat Enterprise Linux 6.6, Jenkins builds failed because\nthe Jenkins plug-in could not negotiate an SSL connection with the broker REST\nAPI endpoint.\n\nIf an updated OpenJDK package newer than java-1.7.0-openjdk-1.7.0.65-2.5.1.2 is\navailable, then the openjdk-1.7.0 package must be updated. On systems where the\nupdate is either unavailable or otherwise cannot be installed, this bug fix\nprovides the updated Jenkins cartridge and dependencies to allow the problematic\ncipher to be disabled. Users can take advantage of this by checking out the\nJenkins gear repository and adding the \"disable_bad_ciphers_yes\" marker file. As\na result, Jenkins builds work as before. It is important to note that disabling\nthe problematic cipher degrades the security of the REST API connections from\nthe Jenkins gear, and as soon as possible the OpenJDK package must be updated\nand the marker file removed from all active Jenkins gears. (BZ#1127667)\n\nAll OpenShift Enterprise users are advised to upgrade to these updated packages.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHBA-2014:1630", url: "https://access.redhat.com/errata/RHBA-2014:1630", }, { category: "external", summary: "1127667", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1127667", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhba-2014_1630.json", }, ], title: "Red Hat Bug Fix Advisory: Red Hat OpenShift Enterprise 2.1 jenkins-plugin-openshift bug fix update", tracking: { current_release_date: "2024-11-22T08:36:17+00:00", generator: { date: "2024-11-22T08:36:17+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHBA-2014:1630", initial_release_date: "2014-10-14T13:01:14+00:00", revision_history: [ { date: "2014-10-14T13:01:14+00:00", number: "1", summary: "Initial version", }, { date: "2014-10-14T13:01:14+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T08:36:17+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHOSE Node 2.1", product: { name: "RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:2.0::el6", }, }, }, ], category: "product_family", name: "Red Hat OpenShift Enterprise", }, { branches: [ { category: "product_version", name: "jenkins-0:1.565.3-1.el6op.noarch", product: { name: "jenkins-0:1.565.3-1.el6op.noarch", product_id: "jenkins-0:1.565.3-1.el6op.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@1.565.3-1.el6op?arch=noarch", }, }, }, { category: "product_version", name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", product: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", product_id: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/openshift-origin-cartridge-jenkins@1.20.3.5-1.el6op?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "jenkins-0:1.565.3-1.el6op.src", product: { name: "jenkins-0:1.565.3-1.el6op.src", product_id: "jenkins-0:1.565.3-1.el6op.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@1.565.3-1.el6op?arch=src", }, }, }, { category: "product_version", name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", product: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", product_id: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-plugin-openshift@0.6.40.1-0.el6op?arch=src", }, }, }, { category: "product_version", name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", product: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", product_id: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", product_identification_helper: { purl: "pkg:rpm/redhat/openshift-origin-cartridge-jenkins@1.20.3.5-1.el6op?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", product: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", product_id: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-plugin-openshift@0.6.40.1-0.el6op?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:1.565.3-1.el6op.noarch as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", }, product_reference: "jenkins-0:1.565.3-1.el6op.noarch", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:1.565.3-1.el6op.src as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", }, product_reference: "jenkins-0:1.565.3-1.el6op.src", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", }, product_reference: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64 as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", }, product_reference: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", }, product_reference: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", }, product_reference: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, ], }, vulnerabilities: [ { cve: "CVE-2013-5573", cwe: { id: "CWE-96", name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", }, discovery_date: "2013-12-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1044976", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-5573", }, { category: "external", summary: "RHBZ#1044976", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1044976", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-5573", url: "https://www.cve.org/CVERecord?id=CVE-2013-5573", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-5573", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-5573", }, ], release_date: "2013-12-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, { category: "workaround", details: "'MyspacePolicy' permits\ntag(\"form\", \"action\", ONSITE_OR_OFFSITE_URL, \"method\");\n\nFix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "MULTIPLE", availabilityImpact: "NONE", baseScore: 4.7, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:M/C:P/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)", }, { cve: "CVE-2013-6372", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, discovery_date: "2013-11-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1032391", }, ], notes: [ { category: "description", text: "The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)", title: "Vulnerability summary", }, { category: "other", text: "Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support\nand maintenance life cycle. This has been rated as having Moderate security\nimpact and is not currently planned to be addressed in future updates. For\nadditional information, refer to the Red Hat OpenShift Enterprise Life Cycle:\nhttps://access.redhat.com/site/support/policy/updates/openshift.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6372", }, { category: "external", summary: "RHBZ#1032391", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1032391", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6372", url: "https://www.cve.org/CVERecord?id=CVE-2013-6372", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6372", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6372", }, ], release_date: "2013-11-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)", }, { cve: "CVE-2013-7330", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067799", }, ], notes: [ { category: "description", text: "Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: configure a project you do not have access to (SECURITY-55)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-7330", }, { category: "external", summary: "RHBZ#1067799", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067799", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-7330", url: "https://www.cve.org/CVERecord?id=CVE-2013-7330", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-7330", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-7330", }, ], release_date: "2014-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 5.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: configure a project you do not have access to (SECURITY-55)", }, { cve: "CVE-2014-2059", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067801", }, ], notes: [ { category: "description", text: "Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: command line interface job creation directory traversal (SECURITY-108)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2059", }, { category: "external", summary: "RHBZ#1067801", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067801", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2059", url: "https://www.cve.org/CVERecord?id=CVE-2014-2059", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2059", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2059", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: command line interface job creation directory traversal (SECURITY-108)", }, { cve: "CVE-2014-2060", discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067806", }, ], notes: [ { category: "description", text: "The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: session hijacking issue in Winstone (SECURITY-106)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2060", }, { category: "external", summary: "RHBZ#1067806", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067806", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2060", url: "https://www.cve.org/CVERecord?id=CVE-2014-2060", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2060", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2060", }, ], release_date: "2014-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: session hijacking issue in Winstone (SECURITY-106)", }, { cve: "CVE-2014-2061", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067808", }, ], notes: [ { category: "description", text: "The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: clear text password disclosure (SECURITY-93)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2061", }, { category: "external", summary: "RHBZ#1067808", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067808", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2061", url: "https://www.cve.org/CVERecord?id=CVE-2014-2061", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2061", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2061", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: clear text password disclosure (SECURITY-93)", }, { cve: "CVE-2014-2062", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067811", }, ], notes: [ { category: "description", text: "Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: user tokens not invalidated correctly (SECURITY-89)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2062", }, { category: "external", summary: "RHBZ#1067811", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067811", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2062", url: "https://www.cve.org/CVERecord?id=CVE-2014-2062", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2062", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2062", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: user tokens not invalidated correctly (SECURITY-89)", }, { cve: "CVE-2014-2063", discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067812", }, ], notes: [ { category: "description", text: "Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: interface vulnerable to clickjacking attacks (SECURITY-80)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2063", }, { category: "external", summary: "RHBZ#1067812", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067812", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2063", url: "https://www.cve.org/CVERecord?id=CVE-2014-2063", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2063", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2063", }, ], release_date: "2014-02-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: interface vulnerable to clickjacking attacks (SECURITY-80)", }, { cve: "CVE-2014-2064", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067817", }, ], notes: [ { category: "description", text: "The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: failed log in attemps revealing if a user is valid or not (SECURITY-79)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2064", }, { category: "external", summary: "RHBZ#1067817", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067817", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2064", url: "https://www.cve.org/CVERecord?id=CVE-2014-2064", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2064", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2064", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: failed log in attemps revealing if a user is valid or not (SECURITY-79)", }, { cve: "CVE-2014-2065", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067820", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: input validation issue (SECURITY-77)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2065", }, { category: "external", summary: "RHBZ#1067820", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067820", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2065", url: "https://www.cve.org/CVERecord?id=CVE-2014-2065", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2065", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2065", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: input validation issue (SECURITY-77)", }, { cve: "CVE-2014-2066", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067827", }, ], notes: [ { category: "description", text: "Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the \"override\" of Jenkins cookies.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: session fixation issue (SECURITY-75)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2066", }, { category: "external", summary: "RHBZ#1067827", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067827", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2066", url: "https://www.cve.org/CVERecord?id=CVE-2014-2066", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2066", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2066", }, ], release_date: "2014-02-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: session fixation issue (SECURITY-75)", }, { cve: "CVE-2014-2067", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067832", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a \"remote cause note.\"", title: "Vulnerability description", }, { category: "summary", text: "jenkins: stored cross-site scripting flaw (SECURITY-74)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2067", }, { category: "external", summary: "RHBZ#1067832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067832", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2067", url: "https://www.cve.org/CVERecord?id=CVE-2014-2067", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2067", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2067", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: stored cross-site scripting flaw (SECURITY-74)", }, { cve: "CVE-2014-2068", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067835", }, ], notes: [ { category: "description", text: "The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: information leak via system diagnostic functionalities (SECURITY-73)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2068", }, { category: "external", summary: "RHBZ#1067835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067835", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2068", url: "https://www.cve.org/CVERecord?id=CVE-2014-2068", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2068", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2068", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:S/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jenkins: information leak via system diagnostic functionalities (SECURITY-73)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Daniel Beck", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3661", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147758", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: denial of service (SECURITY-87)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3661", }, { category: "external", summary: "RHBZ#1147758", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147758", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3661", url: "https://www.cve.org/CVERecord?id=CVE-2014-3661", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3661", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3661", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: denial of service (SECURITY-87)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Daniel Beck", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3662", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147759", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: username discovery (SECURITY-110)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3662", }, { category: "external", summary: "RHBZ#1147759", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147759", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3662", url: "https://www.cve.org/CVERecord?id=CVE-2014-3662", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3662", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3662", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: username discovery (SECURITY-110)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Daniel Beck", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3663", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147764", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: job configuration issues (SECURITY-127, SECURITY-128)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3663", }, { category: "external", summary: "RHBZ#1147764", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147764", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3663", url: "https://www.cve.org/CVERecord?id=CVE-2014-3663", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3663", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3663", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: job configuration issues (SECURITY-127, SECURITY-128)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Jesse Glick", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3664", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147765", }, ], notes: [ { category: "description", text: "Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: directory traversal flaw (SECURITY-131)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3664", }, { category: "external", summary: "RHBZ#1147765", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147765", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3664", url: "https://www.cve.org/CVERecord?id=CVE-2014-3664", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3664", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3664", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: directory traversal flaw (SECURITY-131)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, ], cve: "CVE-2014-3665", cwe: { id: "CWE-250", name: "Execution with Unnecessary Privileges", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147767", }, ], notes: [ { category: "description", text: "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: remote code execution from slaves (SECURITY-144)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3665", }, { category: "external", summary: "RHBZ#1147767", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3665", url: "https://www.cve.org/CVERecord?id=CVE-2014-3665", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3665", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3665", }, ], release_date: "2014-10-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins: remote code execution from slaves (SECURITY-144)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Stephen Connolly", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3666", discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147769", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: remote code execution flaw (SECURITY-150)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3666", }, { category: "external", summary: "RHBZ#1147769", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147769", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3666", url: "https://www.cve.org/CVERecord?id=CVE-2014-3666", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3666", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3666", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins: remote code execution flaw (SECURITY-150)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Jesse Glick", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3667", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147770", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: plug-in code can be downloaded by anyone with read access (SECURITY-155)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3667", }, { category: "external", summary: "RHBZ#1147770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3667", url: "https://www.cve.org/CVERecord?id=CVE-2014-3667", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3667", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3667", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: plug-in code can be downloaded by anyone with read access (SECURITY-155)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Wilder Rodrigues", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3678", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147760", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in the Monitoring plugin before 1.53.0 for Jenkins allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: cross-site scripting flaws in the monitoring plug-in (SECURITY-113)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3678", }, { category: "external", summary: "RHBZ#1147760", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147760", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3678", url: "https://www.cve.org/CVERecord?id=CVE-2014-3678", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3678", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3678", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: cross-site scripting flaws in the monitoring plug-in (SECURITY-113)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Seth Graham", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3681", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147766", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: cross-site scripting flaw in Jenkins core (SECURITY-143)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3681", }, { category: "external", summary: "RHBZ#1147766", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147766", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3681", url: "https://www.cve.org/CVERecord?id=CVE-2014-3681", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3681", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3681", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: cross-site scripting flaw in Jenkins core (SECURITY-143)", }, ], }
RHBA-2014:1630
Vulnerability from csaf_redhat
Published
2014-10-14 13:01
Modified
2024-11-22 08:36
Summary
Red Hat Bug Fix Advisory: Red Hat OpenShift Enterprise 2.1 jenkins-plugin-openshift bug fix update
Notes
Topic
Updated jenkins-plugin-openshift and openshift-origin-cartridge-jenkins packages that fix a bug are now available for Red Hat OpenShift Enterprise 2.1.
Details
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud
deployments.
This update fixes the following bug:
* Changes to the httpd and mod_ssl packages in Red Hat Enterprise Linux 6.6
caused certain ciphers' key sizes offered during TLS/SSL handshaking to be
larger than the same ciphers' key sizes in previous versions. These larger key
sizes are not supported by the current release of openjdk-1.7.0 and cause an
exception during TLS/SSL handshaking. On OpenShift Enterprise deployments which
had been updated to Red Hat Enterprise Linux 6.6, Jenkins builds failed because
the Jenkins plug-in could not negotiate an SSL connection with the broker REST
API endpoint.
If an updated OpenJDK package newer than java-1.7.0-openjdk-1.7.0.65-2.5.1.2 is
available, then the openjdk-1.7.0 package must be updated. On systems where the
update is either unavailable or otherwise cannot be installed, this bug fix
provides the updated Jenkins cartridge and dependencies to allow the problematic
cipher to be disabled. Users can take advantage of this by checking out the
Jenkins gear repository and adding the "disable_bad_ciphers_yes" marker file. As
a result, Jenkins builds work as before. It is important to note that disabling
the problematic cipher degrades the security of the REST API connections from
the Jenkins gear, and as soon as possible the OpenJDK package must be updated
and the marker file removed from all active Jenkins gears. (BZ#1127667)
All OpenShift Enterprise users are advised to upgrade to these updated packages.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Updated jenkins-plugin-openshift and openshift-origin-cartridge-jenkins packages that fix a bug are now available for Red Hat OpenShift Enterprise 2.1.", title: "Topic", }, { category: "general", text: "OpenShift Enterprise by Red Hat is the company's cloud computing\nPlatform-as-a-Service (PaaS) solution designed for on-premise or private cloud\ndeployments.\n\nThis update fixes the following bug: \n\n* Changes to the httpd and mod_ssl packages in Red Hat Enterprise Linux 6.6\ncaused certain ciphers' key sizes offered during TLS/SSL handshaking to be\nlarger than the same ciphers' key sizes in previous versions. These larger key\nsizes are not supported by the current release of openjdk-1.7.0 and cause an\nexception during TLS/SSL handshaking. On OpenShift Enterprise deployments which\nhad been updated to Red Hat Enterprise Linux 6.6, Jenkins builds failed because\nthe Jenkins plug-in could not negotiate an SSL connection with the broker REST\nAPI endpoint.\n\nIf an updated OpenJDK package newer than java-1.7.0-openjdk-1.7.0.65-2.5.1.2 is\navailable, then the openjdk-1.7.0 package must be updated. On systems where the\nupdate is either unavailable or otherwise cannot be installed, this bug fix\nprovides the updated Jenkins cartridge and dependencies to allow the problematic\ncipher to be disabled. Users can take advantage of this by checking out the\nJenkins gear repository and adding the \"disable_bad_ciphers_yes\" marker file. As\na result, Jenkins builds work as before. It is important to note that disabling\nthe problematic cipher degrades the security of the REST API connections from\nthe Jenkins gear, and as soon as possible the OpenJDK package must be updated\nand the marker file removed from all active Jenkins gears. (BZ#1127667)\n\nAll OpenShift Enterprise users are advised to upgrade to these updated packages.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHBA-2014:1630", url: "https://access.redhat.com/errata/RHBA-2014:1630", }, { category: "external", summary: "1127667", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1127667", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhba-2014_1630.json", }, ], title: "Red Hat Bug Fix Advisory: Red Hat OpenShift Enterprise 2.1 jenkins-plugin-openshift bug fix update", tracking: { current_release_date: "2024-11-22T08:36:17+00:00", generator: { date: "2024-11-22T08:36:17+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHBA-2014:1630", initial_release_date: "2014-10-14T13:01:14+00:00", revision_history: [ { date: "2014-10-14T13:01:14+00:00", number: "1", summary: "Initial version", }, { date: "2014-10-14T13:01:14+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T08:36:17+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHOSE Node 2.1", product: { name: "RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:2.0::el6", }, }, }, ], category: "product_family", name: "Red Hat OpenShift Enterprise", }, { branches: [ { category: "product_version", name: "jenkins-0:1.565.3-1.el6op.noarch", product: { name: "jenkins-0:1.565.3-1.el6op.noarch", product_id: "jenkins-0:1.565.3-1.el6op.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@1.565.3-1.el6op?arch=noarch", }, }, }, { category: "product_version", name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", product: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", product_id: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/openshift-origin-cartridge-jenkins@1.20.3.5-1.el6op?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "jenkins-0:1.565.3-1.el6op.src", product: { name: "jenkins-0:1.565.3-1.el6op.src", product_id: "jenkins-0:1.565.3-1.el6op.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@1.565.3-1.el6op?arch=src", }, }, }, { category: "product_version", name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", product: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", product_id: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-plugin-openshift@0.6.40.1-0.el6op?arch=src", }, }, }, { category: "product_version", name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", product: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", product_id: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", product_identification_helper: { purl: "pkg:rpm/redhat/openshift-origin-cartridge-jenkins@1.20.3.5-1.el6op?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", product: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", product_id: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-plugin-openshift@0.6.40.1-0.el6op?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:1.565.3-1.el6op.noarch as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", }, product_reference: "jenkins-0:1.565.3-1.el6op.noarch", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:1.565.3-1.el6op.src as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", }, product_reference: "jenkins-0:1.565.3-1.el6op.src", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", }, product_reference: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64 as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", }, product_reference: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", }, product_reference: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", }, product_reference: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, ], }, vulnerabilities: [ { cve: "CVE-2013-5573", cwe: { id: "CWE-96", name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", }, discovery_date: "2013-12-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1044976", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-5573", }, { category: "external", summary: "RHBZ#1044976", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1044976", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-5573", url: "https://www.cve.org/CVERecord?id=CVE-2013-5573", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-5573", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-5573", }, ], release_date: "2013-12-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, { category: "workaround", details: "'MyspacePolicy' permits\ntag(\"form\", \"action\", ONSITE_OR_OFFSITE_URL, \"method\");\n\nFix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "MULTIPLE", availabilityImpact: "NONE", baseScore: 4.7, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:M/C:P/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)", }, { cve: "CVE-2013-6372", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, discovery_date: "2013-11-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1032391", }, ], notes: [ { category: "description", text: "The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)", title: "Vulnerability summary", }, { category: "other", text: "Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support\nand maintenance life cycle. This has been rated as having Moderate security\nimpact and is not currently planned to be addressed in future updates. For\nadditional information, refer to the Red Hat OpenShift Enterprise Life Cycle:\nhttps://access.redhat.com/site/support/policy/updates/openshift.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6372", }, { category: "external", summary: "RHBZ#1032391", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1032391", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6372", url: "https://www.cve.org/CVERecord?id=CVE-2013-6372", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6372", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6372", }, ], release_date: "2013-11-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)", }, { cve: "CVE-2013-7330", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067799", }, ], notes: [ { category: "description", text: "Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: configure a project you do not have access to (SECURITY-55)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-7330", }, { category: "external", summary: "RHBZ#1067799", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067799", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-7330", url: "https://www.cve.org/CVERecord?id=CVE-2013-7330", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-7330", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-7330", }, ], release_date: "2014-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 5.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: configure a project you do not have access to (SECURITY-55)", }, { cve: "CVE-2014-2059", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067801", }, ], notes: [ { category: "description", text: "Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: command line interface job creation directory traversal (SECURITY-108)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2059", }, { category: "external", summary: "RHBZ#1067801", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067801", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2059", url: "https://www.cve.org/CVERecord?id=CVE-2014-2059", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2059", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2059", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: command line interface job creation directory traversal (SECURITY-108)", }, { cve: "CVE-2014-2060", discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067806", }, ], notes: [ { category: "description", text: "The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: session hijacking issue in Winstone (SECURITY-106)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2060", }, { category: "external", summary: "RHBZ#1067806", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067806", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2060", url: "https://www.cve.org/CVERecord?id=CVE-2014-2060", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2060", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2060", }, ], release_date: "2014-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: session hijacking issue in Winstone (SECURITY-106)", }, { cve: "CVE-2014-2061", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067808", }, ], notes: [ { category: "description", text: "The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: clear text password disclosure (SECURITY-93)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2061", }, { category: "external", summary: "RHBZ#1067808", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067808", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2061", url: "https://www.cve.org/CVERecord?id=CVE-2014-2061", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2061", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2061", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: clear text password disclosure (SECURITY-93)", }, { cve: "CVE-2014-2062", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067811", }, ], notes: [ { category: "description", text: "Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: user tokens not invalidated correctly (SECURITY-89)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2062", }, { category: "external", summary: "RHBZ#1067811", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067811", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2062", url: "https://www.cve.org/CVERecord?id=CVE-2014-2062", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2062", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2062", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: user tokens not invalidated correctly (SECURITY-89)", }, { cve: "CVE-2014-2063", discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067812", }, ], notes: [ { category: "description", text: "Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: interface vulnerable to clickjacking attacks (SECURITY-80)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2063", }, { category: "external", summary: "RHBZ#1067812", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067812", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2063", url: "https://www.cve.org/CVERecord?id=CVE-2014-2063", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2063", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2063", }, ], release_date: "2014-02-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: interface vulnerable to clickjacking attacks (SECURITY-80)", }, { cve: "CVE-2014-2064", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067817", }, ], notes: [ { category: "description", text: "The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: failed log in attemps revealing if a user is valid or not (SECURITY-79)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2064", }, { category: "external", summary: "RHBZ#1067817", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067817", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2064", url: "https://www.cve.org/CVERecord?id=CVE-2014-2064", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2064", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2064", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: failed log in attemps revealing if a user is valid or not (SECURITY-79)", }, { cve: "CVE-2014-2065", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067820", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: input validation issue (SECURITY-77)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2065", }, { category: "external", summary: "RHBZ#1067820", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067820", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2065", url: "https://www.cve.org/CVERecord?id=CVE-2014-2065", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2065", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2065", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: input validation issue (SECURITY-77)", }, { cve: "CVE-2014-2066", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067827", }, ], notes: [ { category: "description", text: "Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the \"override\" of Jenkins cookies.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: session fixation issue (SECURITY-75)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2066", }, { category: "external", summary: "RHBZ#1067827", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067827", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2066", url: "https://www.cve.org/CVERecord?id=CVE-2014-2066", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2066", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2066", }, ], release_date: "2014-02-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: session fixation issue (SECURITY-75)", }, { cve: "CVE-2014-2067", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067832", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a \"remote cause note.\"", title: "Vulnerability description", }, { category: "summary", text: "jenkins: stored cross-site scripting flaw (SECURITY-74)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2067", }, { category: "external", summary: "RHBZ#1067832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067832", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2067", url: "https://www.cve.org/CVERecord?id=CVE-2014-2067", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2067", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2067", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: stored cross-site scripting flaw (SECURITY-74)", }, { cve: "CVE-2014-2068", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067835", }, ], notes: [ { category: "description", text: "The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: information leak via system diagnostic functionalities (SECURITY-73)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2068", }, { category: "external", summary: "RHBZ#1067835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067835", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2068", url: "https://www.cve.org/CVERecord?id=CVE-2014-2068", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2068", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2068", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:S/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jenkins: information leak via system diagnostic functionalities (SECURITY-73)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Daniel Beck", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3661", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147758", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: denial of service (SECURITY-87)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3661", }, { category: "external", summary: "RHBZ#1147758", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147758", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3661", url: "https://www.cve.org/CVERecord?id=CVE-2014-3661", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3661", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3661", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: denial of service (SECURITY-87)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Daniel Beck", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3662", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147759", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: username discovery (SECURITY-110)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3662", }, { category: "external", summary: "RHBZ#1147759", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147759", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3662", url: "https://www.cve.org/CVERecord?id=CVE-2014-3662", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3662", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3662", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: username discovery (SECURITY-110)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Daniel Beck", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3663", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147764", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: job configuration issues (SECURITY-127, SECURITY-128)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3663", }, { category: "external", summary: "RHBZ#1147764", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147764", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3663", url: "https://www.cve.org/CVERecord?id=CVE-2014-3663", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3663", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3663", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: job configuration issues (SECURITY-127, SECURITY-128)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Jesse Glick", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3664", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147765", }, ], notes: [ { category: "description", text: "Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: directory traversal flaw (SECURITY-131)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3664", }, { category: "external", summary: "RHBZ#1147765", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147765", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3664", url: "https://www.cve.org/CVERecord?id=CVE-2014-3664", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3664", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3664", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: directory traversal flaw (SECURITY-131)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, ], cve: "CVE-2014-3665", cwe: { id: "CWE-250", name: "Execution with Unnecessary Privileges", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147767", }, ], notes: [ { category: "description", text: "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: remote code execution from slaves (SECURITY-144)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3665", }, { category: "external", summary: "RHBZ#1147767", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3665", url: "https://www.cve.org/CVERecord?id=CVE-2014-3665", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3665", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3665", }, ], release_date: "2014-10-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins: remote code execution from slaves (SECURITY-144)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Stephen Connolly", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3666", discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147769", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: remote code execution flaw (SECURITY-150)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3666", }, { category: "external", summary: "RHBZ#1147769", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147769", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3666", url: "https://www.cve.org/CVERecord?id=CVE-2014-3666", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3666", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3666", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins: remote code execution flaw (SECURITY-150)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Jesse Glick", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3667", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147770", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: plug-in code can be downloaded by anyone with read access (SECURITY-155)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3667", }, { category: "external", summary: "RHBZ#1147770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3667", url: "https://www.cve.org/CVERecord?id=CVE-2014-3667", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3667", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3667", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: plug-in code can be downloaded by anyone with read access (SECURITY-155)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Wilder Rodrigues", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3678", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147760", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in the Monitoring plugin before 1.53.0 for Jenkins allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: cross-site scripting flaws in the monitoring plug-in (SECURITY-113)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3678", }, { category: "external", summary: "RHBZ#1147760", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147760", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3678", url: "https://www.cve.org/CVERecord?id=CVE-2014-3678", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3678", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3678", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: cross-site scripting flaws in the monitoring plug-in (SECURITY-113)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Seth Graham", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3681", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147766", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: cross-site scripting flaw in Jenkins core (SECURITY-143)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3681", }, { category: "external", summary: "RHBZ#1147766", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147766", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3681", url: "https://www.cve.org/CVERecord?id=CVE-2014-3681", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3681", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3681", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: cross-site scripting flaw in Jenkins core (SECURITY-143)", }, ], }
rhba-2014:1630
Vulnerability from csaf_redhat
Published
2014-10-14 13:01
Modified
2024-11-22 08:36
Summary
Red Hat Bug Fix Advisory: Red Hat OpenShift Enterprise 2.1 jenkins-plugin-openshift bug fix update
Notes
Topic
Updated jenkins-plugin-openshift and openshift-origin-cartridge-jenkins packages that fix a bug are now available for Red Hat OpenShift Enterprise 2.1.
Details
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud
deployments.
This update fixes the following bug:
* Changes to the httpd and mod_ssl packages in Red Hat Enterprise Linux 6.6
caused certain ciphers' key sizes offered during TLS/SSL handshaking to be
larger than the same ciphers' key sizes in previous versions. These larger key
sizes are not supported by the current release of openjdk-1.7.0 and cause an
exception during TLS/SSL handshaking. On OpenShift Enterprise deployments which
had been updated to Red Hat Enterprise Linux 6.6, Jenkins builds failed because
the Jenkins plug-in could not negotiate an SSL connection with the broker REST
API endpoint.
If an updated OpenJDK package newer than java-1.7.0-openjdk-1.7.0.65-2.5.1.2 is
available, then the openjdk-1.7.0 package must be updated. On systems where the
update is either unavailable or otherwise cannot be installed, this bug fix
provides the updated Jenkins cartridge and dependencies to allow the problematic
cipher to be disabled. Users can take advantage of this by checking out the
Jenkins gear repository and adding the "disable_bad_ciphers_yes" marker file. As
a result, Jenkins builds work as before. It is important to note that disabling
the problematic cipher degrades the security of the REST API connections from
the Jenkins gear, and as soon as possible the OpenJDK package must be updated
and the marker file removed from all active Jenkins gears. (BZ#1127667)
All OpenShift Enterprise users are advised to upgrade to these updated packages.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Updated jenkins-plugin-openshift and openshift-origin-cartridge-jenkins packages that fix a bug are now available for Red Hat OpenShift Enterprise 2.1.", title: "Topic", }, { category: "general", text: "OpenShift Enterprise by Red Hat is the company's cloud computing\nPlatform-as-a-Service (PaaS) solution designed for on-premise or private cloud\ndeployments.\n\nThis update fixes the following bug: \n\n* Changes to the httpd and mod_ssl packages in Red Hat Enterprise Linux 6.6\ncaused certain ciphers' key sizes offered during TLS/SSL handshaking to be\nlarger than the same ciphers' key sizes in previous versions. These larger key\nsizes are not supported by the current release of openjdk-1.7.0 and cause an\nexception during TLS/SSL handshaking. On OpenShift Enterprise deployments which\nhad been updated to Red Hat Enterprise Linux 6.6, Jenkins builds failed because\nthe Jenkins plug-in could not negotiate an SSL connection with the broker REST\nAPI endpoint.\n\nIf an updated OpenJDK package newer than java-1.7.0-openjdk-1.7.0.65-2.5.1.2 is\navailable, then the openjdk-1.7.0 package must be updated. On systems where the\nupdate is either unavailable or otherwise cannot be installed, this bug fix\nprovides the updated Jenkins cartridge and dependencies to allow the problematic\ncipher to be disabled. Users can take advantage of this by checking out the\nJenkins gear repository and adding the \"disable_bad_ciphers_yes\" marker file. As\na result, Jenkins builds work as before. It is important to note that disabling\nthe problematic cipher degrades the security of the REST API connections from\nthe Jenkins gear, and as soon as possible the OpenJDK package must be updated\nand the marker file removed from all active Jenkins gears. (BZ#1127667)\n\nAll OpenShift Enterprise users are advised to upgrade to these updated packages.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHBA-2014:1630", url: "https://access.redhat.com/errata/RHBA-2014:1630", }, { category: "external", summary: "1127667", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1127667", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhba-2014_1630.json", }, ], title: "Red Hat Bug Fix Advisory: Red Hat OpenShift Enterprise 2.1 jenkins-plugin-openshift bug fix update", tracking: { current_release_date: "2024-11-22T08:36:17+00:00", generator: { date: "2024-11-22T08:36:17+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHBA-2014:1630", initial_release_date: "2014-10-14T13:01:14+00:00", revision_history: [ { date: "2014-10-14T13:01:14+00:00", number: "1", summary: "Initial version", }, { date: "2014-10-14T13:01:14+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T08:36:17+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHOSE Node 2.1", product: { name: "RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:2.0::el6", }, }, }, ], category: "product_family", name: "Red Hat OpenShift Enterprise", }, { branches: [ { category: "product_version", name: "jenkins-0:1.565.3-1.el6op.noarch", product: { name: "jenkins-0:1.565.3-1.el6op.noarch", product_id: "jenkins-0:1.565.3-1.el6op.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@1.565.3-1.el6op?arch=noarch", }, }, }, { category: "product_version", name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", product: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", product_id: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/openshift-origin-cartridge-jenkins@1.20.3.5-1.el6op?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "jenkins-0:1.565.3-1.el6op.src", product: { name: "jenkins-0:1.565.3-1.el6op.src", product_id: "jenkins-0:1.565.3-1.el6op.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@1.565.3-1.el6op?arch=src", }, }, }, { category: "product_version", name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", product: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", product_id: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-plugin-openshift@0.6.40.1-0.el6op?arch=src", }, }, }, { category: "product_version", name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", product: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", product_id: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", product_identification_helper: { purl: "pkg:rpm/redhat/openshift-origin-cartridge-jenkins@1.20.3.5-1.el6op?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", product: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", product_id: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-plugin-openshift@0.6.40.1-0.el6op?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:1.565.3-1.el6op.noarch as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", }, product_reference: "jenkins-0:1.565.3-1.el6op.noarch", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:1.565.3-1.el6op.src as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", }, product_reference: "jenkins-0:1.565.3-1.el6op.src", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", }, product_reference: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64 as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", }, product_reference: "jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", }, product_reference: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, { category: "default_component_of", full_product_name: { name: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src as a component of RHOSE Node 2.1", product_id: "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", }, product_reference: "openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", relates_to_product_reference: "6Server-RHOSE-NODE-2.1", }, ], }, vulnerabilities: [ { cve: "CVE-2013-5573", cwe: { id: "CWE-96", name: "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", }, discovery_date: "2013-12-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1044976", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-5573", }, { category: "external", summary: "RHBZ#1044976", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1044976", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-5573", url: "https://www.cve.org/CVERecord?id=CVE-2013-5573", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-5573", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-5573", }, ], release_date: "2013-12-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, { category: "workaround", details: "'MyspacePolicy' permits\ntag(\"form\", \"action\", ONSITE_OR_OFFSITE_URL, \"method\");\n\nFix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "MULTIPLE", availabilityImpact: "NONE", baseScore: 4.7, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:M/C:P/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)", }, { cve: "CVE-2013-6372", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, discovery_date: "2013-11-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1032391", }, ], notes: [ { category: "description", text: "The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)", title: "Vulnerability summary", }, { category: "other", text: "Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support\nand maintenance life cycle. This has been rated as having Moderate security\nimpact and is not currently planned to be addressed in future updates. For\nadditional information, refer to the Red Hat OpenShift Enterprise Life Cycle:\nhttps://access.redhat.com/site/support/policy/updates/openshift.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-6372", }, { category: "external", summary: "RHBZ#1032391", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1032391", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-6372", url: "https://www.cve.org/CVERecord?id=CVE-2013-6372", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-6372", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-6372", }, ], release_date: "2013-11-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)", }, { cve: "CVE-2013-7330", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067799", }, ], notes: [ { category: "description", text: "Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: configure a project you do not have access to (SECURITY-55)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-7330", }, { category: "external", summary: "RHBZ#1067799", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067799", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-7330", url: "https://www.cve.org/CVERecord?id=CVE-2013-7330", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-7330", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-7330", }, ], release_date: "2014-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 5.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: configure a project you do not have access to (SECURITY-55)", }, { cve: "CVE-2014-2059", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067801", }, ], notes: [ { category: "description", text: "Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: command line interface job creation directory traversal (SECURITY-108)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2059", }, { category: "external", summary: "RHBZ#1067801", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067801", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2059", url: "https://www.cve.org/CVERecord?id=CVE-2014-2059", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2059", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2059", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: command line interface job creation directory traversal (SECURITY-108)", }, { cve: "CVE-2014-2060", discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067806", }, ], notes: [ { category: "description", text: "The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: session hijacking issue in Winstone (SECURITY-106)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2060", }, { category: "external", summary: "RHBZ#1067806", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067806", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2060", url: "https://www.cve.org/CVERecord?id=CVE-2014-2060", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2060", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2060", }, ], release_date: "2014-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: session hijacking issue in Winstone (SECURITY-106)", }, { cve: "CVE-2014-2061", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067808", }, ], notes: [ { category: "description", text: "The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: clear text password disclosure (SECURITY-93)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2061", }, { category: "external", summary: "RHBZ#1067808", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067808", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2061", url: "https://www.cve.org/CVERecord?id=CVE-2014-2061", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2061", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2061", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: clear text password disclosure (SECURITY-93)", }, { cve: "CVE-2014-2062", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067811", }, ], notes: [ { category: "description", text: "Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: user tokens not invalidated correctly (SECURITY-89)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2062", }, { category: "external", summary: "RHBZ#1067811", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067811", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2062", url: "https://www.cve.org/CVERecord?id=CVE-2014-2062", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2062", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2062", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: user tokens not invalidated correctly (SECURITY-89)", }, { cve: "CVE-2014-2063", discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067812", }, ], notes: [ { category: "description", text: "Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: interface vulnerable to clickjacking attacks (SECURITY-80)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2063", }, { category: "external", summary: "RHBZ#1067812", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067812", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2063", url: "https://www.cve.org/CVERecord?id=CVE-2014-2063", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2063", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2063", }, ], release_date: "2014-02-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: interface vulnerable to clickjacking attacks (SECURITY-80)", }, { cve: "CVE-2014-2064", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067817", }, ], notes: [ { category: "description", text: "The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: failed log in attemps revealing if a user is valid or not (SECURITY-79)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2064", }, { category: "external", summary: "RHBZ#1067817", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067817", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2064", url: "https://www.cve.org/CVERecord?id=CVE-2014-2064", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2064", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2064", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: failed log in attemps revealing if a user is valid or not (SECURITY-79)", }, { cve: "CVE-2014-2065", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067820", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: input validation issue (SECURITY-77)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2065", }, { category: "external", summary: "RHBZ#1067820", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067820", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2065", url: "https://www.cve.org/CVERecord?id=CVE-2014-2065", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2065", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2065", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: input validation issue (SECURITY-77)", }, { cve: "CVE-2014-2066", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067827", }, ], notes: [ { category: "description", text: "Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the \"override\" of Jenkins cookies.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: session fixation issue (SECURITY-75)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2066", }, { category: "external", summary: "RHBZ#1067827", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067827", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2066", url: "https://www.cve.org/CVERecord?id=CVE-2014-2066", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2066", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2066", }, ], release_date: "2014-02-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: session fixation issue (SECURITY-75)", }, { cve: "CVE-2014-2067", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067832", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a \"remote cause note.\"", title: "Vulnerability description", }, { category: "summary", text: "jenkins: stored cross-site scripting flaw (SECURITY-74)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2067", }, { category: "external", summary: "RHBZ#1067832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067832", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2067", url: "https://www.cve.org/CVERecord?id=CVE-2014-2067", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2067", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2067", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: stored cross-site scripting flaw (SECURITY-74)", }, { cve: "CVE-2014-2068", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2014-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1067835", }, ], notes: [ { category: "description", text: "The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: information leak via system diagnostic functionalities (SECURITY-73)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-2068", }, { category: "external", summary: "RHBZ#1067835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1067835", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-2068", url: "https://www.cve.org/CVERecord?id=CVE-2014-2068", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-2068", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-2068", }, ], release_date: "2014-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:S/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jenkins: information leak via system diagnostic functionalities (SECURITY-73)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Daniel Beck", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3661", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147758", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: denial of service (SECURITY-87)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3661", }, { category: "external", summary: "RHBZ#1147758", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147758", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3661", url: "https://www.cve.org/CVERecord?id=CVE-2014-3661", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3661", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3661", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: denial of service (SECURITY-87)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Daniel Beck", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3662", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147759", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: username discovery (SECURITY-110)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3662", }, { category: "external", summary: "RHBZ#1147759", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147759", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3662", url: "https://www.cve.org/CVERecord?id=CVE-2014-3662", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3662", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3662", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: username discovery (SECURITY-110)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Daniel Beck", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3663", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147764", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: job configuration issues (SECURITY-127, SECURITY-128)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3663", }, { category: "external", summary: "RHBZ#1147764", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147764", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3663", url: "https://www.cve.org/CVERecord?id=CVE-2014-3663", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3663", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3663", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: job configuration issues (SECURITY-127, SECURITY-128)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Jesse Glick", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3664", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147765", }, ], notes: [ { category: "description", text: "Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: directory traversal flaw (SECURITY-131)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3664", }, { category: "external", summary: "RHBZ#1147765", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147765", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3664", url: "https://www.cve.org/CVERecord?id=CVE-2014-3664", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3664", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3664", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: directory traversal flaw (SECURITY-131)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, ], cve: "CVE-2014-3665", cwe: { id: "CWE-250", name: "Execution with Unnecessary Privileges", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147767", }, ], notes: [ { category: "description", text: "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: remote code execution from slaves (SECURITY-144)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3665", }, { category: "external", summary: "RHBZ#1147767", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3665", url: "https://www.cve.org/CVERecord?id=CVE-2014-3665", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3665", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3665", }, ], release_date: "2014-10-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins: remote code execution from slaves (SECURITY-144)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Stephen Connolly", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3666", discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147769", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: remote code execution flaw (SECURITY-150)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3666", }, { category: "external", summary: "RHBZ#1147769", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147769", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3666", url: "https://www.cve.org/CVERecord?id=CVE-2014-3666", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3666", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3666", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins: remote code execution flaw (SECURITY-150)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Jesse Glick", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3667", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147770", }, ], notes: [ { category: "description", text: "Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: plug-in code can be downloaded by anyone with read access (SECURITY-155)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3667", }, { category: "external", summary: "RHBZ#1147770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3667", url: "https://www.cve.org/CVERecord?id=CVE-2014-3667", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3667", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3667", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: plug-in code can be downloaded by anyone with read access (SECURITY-155)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Wilder Rodrigues", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3678", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147760", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in the Monitoring plugin before 1.53.0 for Jenkins allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: cross-site scripting flaws in the monitoring plug-in (SECURITY-113)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3678", }, { category: "external", summary: "RHBZ#1147760", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147760", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3678", url: "https://www.cve.org/CVERecord?id=CVE-2014-3678", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3678", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3678", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: cross-site scripting flaws in the monitoring plug-in (SECURITY-113)", }, { acknowledgments: [ { names: [ "Jenkins project", ], }, { names: [ "Seth Graham", ], summary: "Acknowledged by upstream.", }, ], cve: "CVE-2014-3681", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2014-09-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1147766", }, ], notes: [ { category: "description", text: "Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", title: "Vulnerability description", }, { category: "summary", text: "jenkins: cross-site scripting flaw in Jenkins core (SECURITY-143)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-3681", }, { category: "external", summary: "RHBZ#1147766", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147766", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-3681", url: "https://www.cve.org/CVERecord?id=CVE-2014-3681", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-3681", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3681", }, ], release_date: "2014-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-10-14T13:01:14+00:00", details: "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nSee the OpenShift Enterprise 2.1 Release Notes, which will be updated shortly for this advisory, for important instructions on how to fully apply this asynchronous errata update:\n\nhttps://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates\n\nThis update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258.", product_ids: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHBA-2014:1630", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, products: [ "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:jenkins-0:1.565.3-1.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.src", "6Server-RHOSE-NODE-2.1:jenkins-plugin-openshift-0:0.6.40.1-0.el6op.x86_64", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.noarch", "6Server-RHOSE-NODE-2.1:openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins: cross-site scripting flaw in Jenkins core (SECURITY-143)", }, ], }
gsd-2014-3665
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.
Aliases
Aliases
{ GSD: { alias: "CVE-2014-3665", description: "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", id: "GSD-2014-3665", references: [ "https://access.redhat.com/errata/RHBA-2014:1630", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2014-3665", ], details: "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", id: "GSD-2014-3665", modified: "2023-12-13T01:22:53.094346Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-3665", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_affected: "=", version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control", refsource: "MISC", url: "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control", }, { name: "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30", refsource: "MISC", url: "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30", }, { name: "https://www.cloudbees.com/jenkins-security-advisory-2014-10-30", refsource: "MISC", url: "https://www.cloudbees.com/jenkins-security-advisory-2014-10-30", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "(,1.587)", affected_versions: "All versions before 1.587", cvss_v2: "AV:N/AC:M/Au:N/C:P/I:P/A:P", cwe_ids: [ "CWE-1035", "CWE-264", "CWE-78", "CWE-937", ], date: "2023-02-03", description: "CVE-2014-3665 jenkins: remote code execution from slaves (SECURITY-144)", fixed_versions: [ "1.587", ], identifier: "CVE-2014-3665", identifiers: [ "GHSA-66cr-6whx-732p", "CVE-2014-3665", ], not_impacted: "All versions starting from 1.587", package_slug: "maven/org.jenkins-ci.main/jenkins-core", pubdate: "2022-05-17", solution: "Upgrade to version 1.587 or above.", title: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2014-3665", "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control", "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30", "https://access.redhat.com/errata/RHBA-2014:1630", "https://access.redhat.com/security/cve/CVE-2014-3665", "https://github.com/advisories/GHSA-66cr-6whx-732p", ], uuid: "11b3e1a5-8d26-495d-8fe8-86d813fd63ff", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "1.586", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", cpe_name: [], versionEndIncluding: "1.565.3", vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-3665", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-264", }, ], }, ], }, references: { reference_data: [ { name: "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control", refsource: "CONFIRM", tags: [ "Vendor Advisory", ], url: "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", refsource: "CONFIRM", tags: [], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", }, { name: "https://www.cloudbees.com/jenkins-security-advisory-2014-10-30", refsource: "CONFIRM", tags: [ "Vendor Advisory", ], url: "https://www.cloudbees.com/jenkins-security-advisory-2014-10-30", }, { name: "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30", refsource: "CONFIRM", tags: [ "Vendor Advisory", ], url: "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, }, lastModifiedDate: "2023-02-13T00:41Z", publishedDate: "2015-11-25T20:59Z", }, }, }
fkie_cve-2014-3665
Vulnerability from fkie_nvd
Published
2015-11-25 20:59
Modified
2025-04-12 10:46
Severity ?
Summary
Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*", matchCriteriaId: "90230A3F-36A2-45C9-A506-31CC896ABE21", versionEndIncluding: "1.586", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", matchCriteriaId: "A50FA41C-BF02-4D87-B1DA-7F3EE6E9C367", versionEndIncluding: "1.565.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", }, { lang: "es", value: "Jenkins en versiones anteriores a 1.587 y LTS en versiones anteriores a 1.580.1 no asegura correctamente la separación de confianza entre un maestro y un esclavo, lo que podría permitir a atacantes remotos ejecutar código arbitrario en el maestro aprovechando el acceso al esclavo.", }, ], id: "CVE-2014-3665", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2015-11-25T20:59:00.190", references: [ { source: "secalert@redhat.com", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://www.cloudbees.com/jenkins-security-advisory-2014-10-30", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.cloudbees.com/jenkins-security-advisory-2014-10-30", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-264", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
ghsa-66cr-6whx-732p
Vulnerability from github
Published
2022-05-17 03:53
Modified
2023-02-03 23:24
Summary
Jenkins improperly ensures trust separation
Details
Jenkins prior to 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.
{ affected: [ { package: { ecosystem: "Maven", name: "org.jenkins-ci.main:jenkins-core", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.587", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2014-3665", ], database_specific: { cwe_ids: [], github_reviewed: true, github_reviewed_at: "2023-02-03T23:24:51Z", nvd_published_at: "2015-11-25T20:59:00Z", severity: "MODERATE", }, details: "Jenkins prior to 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.", id: "GHSA-66cr-6whx-732p", modified: "2023-02-03T23:24:51Z", published: "2022-05-17T03:53:35Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-3665", }, { type: "WEB", url: "https://access.redhat.com/errata/RHBA-2014:1630", }, { type: "WEB", url: "https://access.redhat.com/security/cve/CVE-2014-3665", }, { type: "WEB", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1147767", }, { type: "WEB", url: "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control", }, { type: "WEB", url: "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30", }, ], schema_version: "1.4.0", severity: [], summary: "Jenkins improperly ensures trust separation", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.