csaf_redhat - rhsa-2016

rhsa-2016_0711

Vulnerability from csaf_redhat

Published

2016-05-03 15:30

Modified

2024-09-15 23:20

Summary

Red Hat Security Advisory: jenkins security update

Notes

Topic

An updated Jenkins package and image that include a security fix are now available for Red Hat OpenShift Enterprise 3.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): The Jenkins continuous integration server has been updated to upstream version 1.642.2 LTS that addresses a large number of security issues, including XSS, CSRF, information disclosure, and code execution. (CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792) Refer to the changelog listed in the References section for a list of changes. This update includes the following image: openshift3/jenkins-1-rhel7:1.642-30 All OpenShift Enterprise 3.1 users are advised to upgrade to the updated package and image.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated Jenkins package and image that include a security fix are now \navailable for Red Hat OpenShift Enterprise 3.1.\n\nRed Hat Product Security has rated this update as having a security impact \nof Important. A Common Vulnerability Scoring System (CVSS) base score, \nwhich gives a detailed severity rating, is available for each vulnerability \nfrom the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenShift Enterprise by Red Hat is the company\u0027s cloud computing Platform-\nas-a-Service (PaaS) solution designed for on-premise or private cloud \ndeployments.\n\nJenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\nThe Jenkins continuous integration server has been updated to upstream \nversion 1.642.2 LTS that addresses a large number of security issues, \nincluding XSS, CSRF, information disclosure, and code execution. \n(CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792)\n\nRefer to the changelog listed in the References section for a list of \nchanges.\n\nThis update includes the following image:\n\nopenshift3/jenkins-1-rhel7:1.642-30\n\nAll OpenShift Enterprise 3.1 users are advised to upgrade to the updated \npackage and image.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:0711",
        "url": "https://access.redhat.com/errata/RHSA-2016:0711"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
        "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
      },
      {
        "category": "external",
        "summary": "https://jenkins.io/changelog-stable/#v1.642.2",
        "url": "https://jenkins.io/changelog-stable/#v1.642.2"
      },
      {
        "category": "external",
        "summary": "1311946",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311946"
      },
      {
        "category": "external",
        "summary": "1311947",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311947"
      },
      {
        "category": "external",
        "summary": "1311948",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311948"
      },
      {
        "category": "external",
        "summary": "1311949",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311949"
      },
      {
        "category": "external",
        "summary": "1311950",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311950"
      },
      {
        "category": "external",
        "summary": "1324664",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324664"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2016/rhsa-2016_0711.json"
      }
    ],
    "title": "Red Hat Security Advisory: jenkins security update",
    "tracking": {
      "current_release_date": "2024-09-15T23:20:46+00:00",
      "generator": {
        "date": "2024-09-15T23:20:46+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2016:0711",
      "initial_release_date": "2016-05-03T15:30:17+00:00",
      "revision_history": [
        {
          "date": "2016-05-03T15:30:17+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-05-03T15:30:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-15T23:20:46+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Enterprise 3.1",
                "product": {
                  "name": "Red Hat OpenShift Enterprise 3.1",
                  "product_id": "7Server-RH7-RHOSE-3.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:3.1::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:1.642.2-1.el7.noarch",
                "product": {
                  "name": "jenkins-0:1.642.2-1.el7.noarch",
                  "product_id": "jenkins-0:1.642.2-1.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@1.642.2-1.el7?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:1.642.2-1.el7.src",
                "product": {
                  "name": "jenkins-0:1.642.2-1.el7.src",
                  "product_id": "jenkins-0:1.642.2-1.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@1.642.2-1.el7?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-plugin-credentials-0:1.24-2.el7.src",
                "product": {
                  "name": "jenkins-plugin-credentials-0:1.24-2.el7.src",
                  "product_id": "jenkins-plugin-credentials-0:1.24-2.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-plugin-credentials@1.24-2.el7?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
                "product": {
                  "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
                  "product_id": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-plugin-openshift-pipeline@1.0.9-1.el7?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-plugin-durable-task-0:1.7-1.el7.src",
                "product": {
                  "name": "jenkins-plugin-durable-task-0:1.7-1.el7.src",
                  "product_id": "jenkins-plugin-durable-task-0:1.7-1.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-plugin-durable-task@1.7-1.el7?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.src",
                "product": {
                  "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.src",
                  "product_id": "jenkins-plugin-kubernetes-0:0.5-1.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-plugin-kubernetes@0.5-1.el7?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
                "product": {
                  "name": "jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
                  "product_id": "jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-plugin-credentials@1.24-2.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64",
                "product": {
                  "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64",
                  "product_id": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-plugin-openshift-pipeline@1.0.9-1.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
                "product": {
                  "name": "jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
                  "product_id": "jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-plugin-durable-task@1.7-1.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
                "product": {
                  "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
                  "product_id": "jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-plugin-kubernetes@0.5-1.el7?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:1.642.2-1.el7.noarch as a component of Red Hat OpenShift Enterprise 3.1",
          "product_id": "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch"
        },
        "product_reference": "jenkins-0:1.642.2-1.el7.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:1.642.2-1.el7.src as a component of Red Hat OpenShift Enterprise 3.1",
          "product_id": "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src"
        },
        "product_reference": "jenkins-0:1.642.2-1.el7.src",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-plugin-credentials-0:1.24-2.el7.src as a component of Red Hat OpenShift Enterprise 3.1",
          "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src"
        },
        "product_reference": "jenkins-plugin-credentials-0:1.24-2.el7.src",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-plugin-credentials-0:1.24-2.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1",
          "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64"
        },
        "product_reference": "jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-plugin-durable-task-0:1.7-1.el7.src as a component of Red Hat OpenShift Enterprise 3.1",
          "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src"
        },
        "product_reference": "jenkins-plugin-durable-task-0:1.7-1.el7.src",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-plugin-durable-task-0:1.7-1.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1",
          "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64"
        },
        "product_reference": "jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.src as a component of Red Hat OpenShift Enterprise 3.1",
          "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src"
        },
        "product_reference": "jenkins-plugin-kubernetes-0:0.5-1.el7.src",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1",
          "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64"
        },
        "product_reference": "jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src as a component of Red Hat OpenShift Enterprise 3.1",
          "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src"
        },
        "product_reference": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1",
          "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
        },
        "product_reference": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64",
        "relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-0788",
      "discovery_date": "2016-02-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1311946"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
          "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-0788"
        },
        {
          "category": "external",
          "summary": "RHBZ#1311946",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311946"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0788",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-0788"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0788",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0788"
        },
        {
          "category": "external",
          "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
        }
      ],
      "release_date": "2016-02-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata \nrelevant to your system have been applied.\n\nThe Red Hat Enterprise Linux container images provided by this update can \nbe downloaded from the Red Hat Container Registry at \nregistry.access.redhat.com using the \"docker pull\" command. Dockerfiles and \nscripts should be amended either to refer to this new image specifically, \nor to the latest image generally.\n\nThe packages in this update are available via the Red Hat Network. Details \non how to use the Red Hat Network to apply this update are available at \nhttps://access.redhat.com/articles/11258.",
          "product_ids": [
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:0711"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)"
    },
    {
      "cve": "CVE-2016-0789",
      "discovery_date": "2016-02-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1311947"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jenkins: HTTP response splitting vulnerability (SECURITY-238)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
          "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-0789"
        },
        {
          "category": "external",
          "summary": "RHBZ#1311947",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311947"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0789",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-0789"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0789",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0789"
        },
        {
          "category": "external",
          "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
        }
      ],
      "release_date": "2016-02-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata \nrelevant to your system have been applied.\n\nThe Red Hat Enterprise Linux container images provided by this update can \nbe downloaded from the Red Hat Container Registry at \nregistry.access.redhat.com using the \"docker pull\" command. Dockerfiles and \nscripts should be amended either to refer to this new image specifically, \nor to the latest image generally.\n\nThe packages in this update are available via the Red Hat Network. Details \non how to use the Red Hat Network to apply this update are available at \nhttps://access.redhat.com/articles/11258.",
          "product_ids": [
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:0711"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jenkins: HTTP response splitting vulnerability (SECURITY-238)"
    },
    {
      "cve": "CVE-2016-0790",
      "discovery_date": "2016-02-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1311948"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jenkins: Non-constant time comparison of API token (SECURITY-241)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
          "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-0790"
        },
        {
          "category": "external",
          "summary": "RHBZ#1311948",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311948"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0790",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-0790"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0790",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0790"
        },
        {
          "category": "external",
          "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
        }
      ],
      "release_date": "2016-02-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata \nrelevant to your system have been applied.\n\nThe Red Hat Enterprise Linux container images provided by this update can \nbe downloaded from the Red Hat Container Registry at \nregistry.access.redhat.com using the \"docker pull\" command. Dockerfiles and \nscripts should be amended either to refer to this new image specifically, \nor to the latest image generally.\n\nThe packages in this update are available via the Red Hat Network. Details \non how to use the Red Hat Network to apply this update are available at \nhttps://access.redhat.com/articles/11258.",
          "product_ids": [
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:0711"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jenkins: Non-constant time comparison of API token (SECURITY-241)"
    },
    {
      "cve": "CVE-2016-0791",
      "discovery_date": "2016-02-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1311949"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
          "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-0791"
        },
        {
          "category": "external",
          "summary": "RHBZ#1311949",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311949"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0791",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-0791"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0791",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0791"
        },
        {
          "category": "external",
          "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
        }
      ],
      "release_date": "2016-02-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata \nrelevant to your system have been applied.\n\nThe Red Hat Enterprise Linux container images provided by this update can \nbe downloaded from the Red Hat Container Registry at \nregistry.access.redhat.com using the \"docker pull\" command. Dockerfiles and \nscripts should be amended either to refer to this new image specifically, \nor to the latest image generally.\n\nThe packages in this update are available via the Red Hat Network. Details \non how to use the Red Hat Network to apply this update are available at \nhttps://access.redhat.com/articles/11258.",
          "product_ids": [
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:0711"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)"
    },
    {
      "cve": "CVE-2016-0792",
      "discovery_date": "2016-02-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1311950"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jenkins: Remote code execution through remote API (SECURITY-247)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
          "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
          "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-0792"
        },
        {
          "category": "external",
          "summary": "RHBZ#1311950",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311950"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0792",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-0792"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0792",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0792"
        },
        {
          "category": "external",
          "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
        }
      ],
      "release_date": "2016-02-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata \nrelevant to your system have been applied.\n\nThe Red Hat Enterprise Linux container images provided by this update can \nbe downloaded from the Red Hat Container Registry at \nregistry.access.redhat.com using the \"docker pull\" command. Dockerfiles and \nscripts should be amended either to refer to this new image specifically, \nor to the latest image generally.\n\nThe packages in this update are available via the Red Hat Network. Details \non how to use the Red Hat Network to apply this update are available at \nhttps://access.redhat.com/articles/11258.",
          "product_ids": [
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:0711"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch",
            "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src",
            "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jenkins: Remote code execution through remote API (SECURITY-247)"
    }
  ]
}

cve-2016-0790

Vulnerability from cvelistv5

Published

2016-04-07 23:00

Modified

2024-08-05 22:30

Severity

Summary

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

References

URL	Tags
https://access.redhat.com/errata/RHSA-2016:0711	vendor-advisory, x_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2016-1773.html	vendor-advisory, x_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24	x_refsource_CONFIRM

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:30:05.130Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0711",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0711"
          },
          {
            "name": "RHSA-2016:1773",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-04T19:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0711",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0711"
        },
        {
          "name": "RHSA-2016:1773",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-0790",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0711",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0711"
            },
            {
              "name": "RHSA-2016:1773",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-0790",
    "datePublished": "2016-04-07T23:00:00",
    "dateReserved": "2015-12-16T00:00:00",
    "dateUpdated": "2024-08-05T22:30:05.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-0791

Vulnerability from cvelistv5

Published

2016-04-07 23:00

Modified

2024-08-05 22:30

Severity

Summary

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

References

URL	Tags
https://access.redhat.com/errata/RHSA-2016:0711	vendor-advisory, x_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2016-1773.html	vendor-advisory, x_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24	x_refsource_CONFIRM

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:30:05.037Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0711",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0711"
          },
          {
            "name": "RHSA-2016:1773",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-04T19:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0711",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0711"
        },
        {
          "name": "RHSA-2016:1773",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-0791",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0711",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0711"
            },
            {
              "name": "RHSA-2016:1773",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-0791",
    "datePublished": "2016-04-07T23:00:00",
    "dateReserved": "2015-12-16T00:00:00",
    "dateUpdated": "2024-08-05T22:30:05.037Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-0789

Vulnerability from cvelistv5

Published

2016-04-07 23:00

Modified

2024-08-05 22:30

Severity

Summary

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

References

URL	Tags
https://access.redhat.com/errata/RHSA-2016:0711	vendor-advisory, x_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2016-1773.html	vendor-advisory, x_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24	x_refsource_CONFIRM

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:30:04.049Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0711",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0711"
          },
          {
            "name": "RHSA-2016:1773",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-04T19:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0711",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0711"
        },
        {
          "name": "RHSA-2016:1773",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-0789",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0711",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0711"
            },
            {
              "name": "RHSA-2016:1773",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-0789",
    "datePublished": "2016-04-07T23:00:00",
    "dateReserved": "2015-12-16T00:00:00",
    "dateUpdated": "2024-08-05T22:30:04.049Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-0788

Vulnerability from cvelistv5

Published

2016-04-07 23:00

Modified

2024-08-05 22:30

Severity

Summary

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

References

URL	Tags
https://access.redhat.com/errata/RHSA-2016:0711	vendor-advisory, x_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2016-1773.html	vendor-advisory, x_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24	x_refsource_CONFIRM

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:30:04.546Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0711",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0711"
          },
          {
            "name": "RHSA-2016:1773",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-04T19:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0711",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0711"
        },
        {
          "name": "RHSA-2016:1773",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-0788",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0711",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0711"
            },
            {
              "name": "RHSA-2016:1773",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-0788",
    "datePublished": "2016-04-07T23:00:00",
    "dateReserved": "2015-12-16T00:00:00",
    "dateUpdated": "2024-08-05T22:30:04.546Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-0792

Vulnerability from cvelistv5

Published

2016-04-07 23:00

Modified

2024-08-05 22:30

Severity

Summary

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

References

URL	Tags
https://www.exploit-db.com/exploits/43375/	exploit, x_refsource_EXPLOIT-DB
https://access.redhat.com/errata/RHSA-2016:0711	vendor-advisory, x_refsource_REDHAT
https://www.exploit-db.com/exploits/42394/	exploit, x_refsource_EXPLOIT-DB
https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream	x_refsource_MISC
http://rhn.redhat.com/errata/RHSA-2016-1773.html	vendor-advisory, x_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24	x_refsource_CONFIRM

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:30:05.113Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "43375",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/43375/"
          },
          {
            "name": "RHSA-2016:0711",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0711"
          },
          {
            "name": "42394",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/42394/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream"
          },
          {
            "name": "RHSA-2016:1773",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-02-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-04T19:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "43375",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/43375/"
        },
        {
          "name": "RHSA-2016:0711",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0711"
        },
        {
          "name": "42394",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/42394/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream"
        },
        {
          "name": "RHSA-2016:1773",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-0792",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "43375",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/43375/"
            },
            {
              "name": "RHSA-2016:0711",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0711"
            },
            {
              "name": "42394",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/42394/"
            },
            {
              "name": "https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream",
              "refsource": "MISC",
              "url": "https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream"
            },
            {
              "name": "RHSA-2016:1773",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-0792",
    "datePublished": "2016-04-07T23:00:00",
    "dateReserved": "2015-12-16T00:00:00",
    "dateUpdated": "2024-08-05T22:30:05.113Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2016_0711

Vulnerability from csaf_redhat

cve-2016-0790

Vulnerability from cvelistv5

cve-2016-0791

Vulnerability from cvelistv5

cve-2016-0789

Vulnerability from cvelistv5

cve-2016-0788

Vulnerability from cvelistv5

cve-2016-0792

Vulnerability from cvelistv5

Tags