rhsa-2016_0711
Vulnerability from csaf_redhat
Published
2016-05-03 15:30
Modified
2024-11-22 09:58
Summary
Red Hat Security Advisory: jenkins security update
Notes
Topic
An updated Jenkins package and image that include a security fix are now
available for Red Hat OpenShift Enterprise 3.1.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details
OpenShift Enterprise by Red Hat is the company's cloud computing Platform-
as-a-Service (PaaS) solution designed for on-premise or private cloud
deployments.
Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
The Jenkins continuous integration server has been updated to upstream
version 1.642.2 LTS that addresses a large number of security issues,
including XSS, CSRF, information disclosure, and code execution.
(CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792)
Refer to the changelog listed in the References section for a list of
changes.
This update includes the following image:
openshift3/jenkins-1-rhel7:1.642-30
All OpenShift Enterprise 3.1 users are advised to upgrade to the updated
package and image.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An updated Jenkins package and image that include a security fix are now \navailable for Red Hat OpenShift Enterprise 3.1.\n\nRed Hat Product Security has rated this update as having a security impact \nof Important. A Common Vulnerability Scoring System (CVSS) base score, \nwhich gives a detailed severity rating, is available for each vulnerability \nfrom the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "OpenShift Enterprise by Red Hat is the company\u0027s cloud computing Platform-\nas-a-Service (PaaS) solution designed for on-premise or private cloud \ndeployments.\n\nJenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\nThe Jenkins continuous integration server has been updated to upstream \nversion 1.642.2 LTS that addresses a large number of security issues, \nincluding XSS, CSRF, information disclosure, and code execution. \n(CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792)\n\nRefer to the changelog listed in the References section for a list of \nchanges.\n\nThis update includes the following image:\n\nopenshift3/jenkins-1-rhel7:1.642-30\n\nAll OpenShift Enterprise 3.1 users are advised to upgrade to the updated \npackage and image.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2016:0711", "url": "https://access.redhat.com/errata/RHSA-2016:0711" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24", "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24" }, { "category": "external", "summary": "https://jenkins.io/changelog-stable/#v1.642.2", "url": "https://jenkins.io/changelog-stable/#v1.642.2" }, { "category": "external", "summary": "1311946", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311946" }, { "category": "external", "summary": "1311947", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311947" }, { "category": "external", "summary": "1311948", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311948" }, { "category": "external", "summary": "1311949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311949" }, { "category": "external", "summary": "1311950", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311950" }, { "category": "external", "summary": "1324664", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324664" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_0711.json" } ], "title": "Red Hat Security Advisory: jenkins security update", "tracking": { "current_release_date": "2024-11-22T09:58:58+00:00", "generator": { "date": "2024-11-22T09:58:58+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2016:0711", "initial_release_date": "2016-05-03T15:30:17+00:00", "revision_history": [ { "date": "2016-05-03T15:30:17+00:00", "number": "1", "summary": "Initial version" }, { "date": "2016-05-03T15:30:17+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-22T09:58:58+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Enterprise 3.1", "product": { "name": "Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:3.1::el7" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "jenkins-0:1.642.2-1.el7.noarch", "product": { "name": "jenkins-0:1.642.2-1.el7.noarch", "product_id": "jenkins-0:1.642.2-1.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@1.642.2-1.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "jenkins-0:1.642.2-1.el7.src", "product": { "name": "jenkins-0:1.642.2-1.el7.src", "product_id": "jenkins-0:1.642.2-1.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@1.642.2-1.el7?arch=src" } } }, { "category": "product_version", "name": "jenkins-plugin-credentials-0:1.24-2.el7.src", "product": { "name": "jenkins-plugin-credentials-0:1.24-2.el7.src", "product_id": "jenkins-plugin-credentials-0:1.24-2.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-plugin-credentials@1.24-2.el7?arch=src" } } }, { "category": "product_version", "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "product": { "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "product_id": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-plugin-openshift-pipeline@1.0.9-1.el7?arch=src" } } }, { "category": "product_version", "name": "jenkins-plugin-durable-task-0:1.7-1.el7.src", "product": { "name": "jenkins-plugin-durable-task-0:1.7-1.el7.src", "product_id": "jenkins-plugin-durable-task-0:1.7-1.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-plugin-durable-task@1.7-1.el7?arch=src" } } }, { "category": "product_version", "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.src", "product": { "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.src", "product_id": "jenkins-plugin-kubernetes-0:0.5-1.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-plugin-kubernetes@0.5-1.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "product": { "name": "jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "product_id": "jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-plugin-credentials@1.24-2.el7?arch=x86_64" } } }, { "category": "product_version", "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64", "product": { "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64", "product_id": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-plugin-openshift-pipeline@1.0.9-1.el7?arch=x86_64" } } }, { "category": "product_version", "name": "jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "product": { "name": "jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "product_id": "jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-plugin-durable-task@1.7-1.el7?arch=x86_64" } } }, { "category": "product_version", "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "product": { "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "product_id": "jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-plugin-kubernetes@0.5-1.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:1.642.2-1.el7.noarch as a component of Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch" }, "product_reference": "jenkins-0:1.642.2-1.el7.noarch", "relates_to_product_reference": "7Server-RH7-RHOSE-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:1.642.2-1.el7.src as a component of Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src" }, "product_reference": "jenkins-0:1.642.2-1.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-plugin-credentials-0:1.24-2.el7.src as a component of Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src" }, "product_reference": "jenkins-plugin-credentials-0:1.24-2.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-plugin-credentials-0:1.24-2.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64" }, "product_reference": "jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-plugin-durable-task-0:1.7-1.el7.src as a component of Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src" }, "product_reference": "jenkins-plugin-durable-task-0:1.7-1.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-plugin-durable-task-0:1.7-1.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64" }, "product_reference": "jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.src as a component of Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src" }, "product_reference": "jenkins-plugin-kubernetes-0:0.5-1.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64" }, "product_reference": "jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src as a component of Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src" }, "product_reference": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1", "product_id": "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" }, "product_reference": "jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-3.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2016-0788", "discovery_date": "2016-02-24T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1311946" } ], "notes": [ { "category": "description", "text": "The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2016-0788" }, { "category": "external", "summary": "RHBZ#1311946", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311946" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0788", "url": "https://www.cve.org/CVERecord?id=CVE-2016-0788" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0788", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0788" }, { "category": "external", "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24", "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24" } ], "release_date": "2016-02-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2016-05-03T15:30:17+00:00", "details": "Before applying this update, make sure all previously released errata \nrelevant to your system have been applied.\n\nThe Red Hat Enterprise Linux container images provided by this update can \nbe downloaded from the Red Hat Container Registry at \nregistry.access.redhat.com using the \"docker pull\" command. Dockerfiles and \nscripts should be amended either to refer to this new image specifically, \nor to the latest image generally.\n\nThe packages in this update are available via the Red Hat Network. Details \non how to use the Red Hat Network to apply this update are available at \nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2016:0711" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, "products": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)" }, { "cve": "CVE-2016-0789", "discovery_date": "2016-02-24T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1311947" } ], "notes": [ { "category": "description", "text": "CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: HTTP response splitting vulnerability (SECURITY-238)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2016-0789" }, { "category": "external", "summary": "RHBZ#1311947", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311947" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0789", "url": "https://www.cve.org/CVERecord?id=CVE-2016-0789" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0789", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0789" }, { "category": "external", "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24", "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24" } ], "release_date": "2016-02-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2016-05-03T15:30:17+00:00", "details": "Before applying this update, make sure all previously released errata \nrelevant to your system have been applied.\n\nThe Red Hat Enterprise Linux container images provided by this update can \nbe downloaded from the Red Hat Container Registry at \nregistry.access.redhat.com using the \"docker pull\" command. Dockerfiles and \nscripts should be amended either to refer to this new image specifically, \nor to the latest image generally.\n\nThe packages in this update are available via the Red Hat Network. Details \non how to use the Red Hat Network to apply this update are available at \nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2016:0711" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0" }, "products": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins: HTTP response splitting vulnerability (SECURITY-238)" }, { "cve": "CVE-2016-0790", "discovery_date": "2016-02-24T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1311948" } ], "notes": [ { "category": "description", "text": "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Non-constant time comparison of API token (SECURITY-241)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2016-0790" }, { "category": "external", "summary": "RHBZ#1311948", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311948" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0790", "url": "https://www.cve.org/CVERecord?id=CVE-2016-0790" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0790", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0790" }, { "category": "external", "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24", "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24" } ], "release_date": "2016-02-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2016-05-03T15:30:17+00:00", "details": "Before applying this update, make sure all previously released errata \nrelevant to your system have been applied.\n\nThe Red Hat Enterprise Linux container images provided by this update can \nbe downloaded from the Red Hat Container Registry at \nregistry.access.redhat.com using the \"docker pull\" command. Dockerfiles and \nscripts should be amended either to refer to this new image specifically, \nor to the latest image generally.\n\nThe packages in this update are available via the Red Hat Network. Details \non how to use the Red Hat Network to apply this update are available at \nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2016:0711" } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0" }, "products": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Non-constant time comparison of API token (SECURITY-241)" }, { "cve": "CVE-2016-0791", "discovery_date": "2016-02-24T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1311949" } ], "notes": [ { "category": "description", "text": "Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2016-0791" }, { "category": "external", "summary": "RHBZ#1311949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0791", "url": "https://www.cve.org/CVERecord?id=CVE-2016-0791" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0791", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0791" }, { "category": "external", "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24", "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24" } ], "release_date": "2016-02-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2016-05-03T15:30:17+00:00", "details": "Before applying this update, make sure all previously released errata \nrelevant to your system have been applied.\n\nThe Red Hat Enterprise Linux container images provided by this update can \nbe downloaded from the Red Hat Container Registry at \nregistry.access.redhat.com using the \"docker pull\" command. Dockerfiles and \nscripts should be amended either to refer to this new image specifically, \nor to the latest image generally.\n\nThe packages in this update are available via the Red Hat Network. Details \non how to use the Red Hat Network to apply this update are available at \nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2016:0711" } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N", "version": "2.0" }, "products": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)" }, { "cve": "CVE-2016-0792", "discovery_date": "2016-02-24T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1311950" } ], "notes": [ { "category": "description", "text": "Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins: Remote code execution through remote API (SECURITY-247)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2016-0792" }, { "category": "external", "summary": "RHBZ#1311950", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311950" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0792", "url": "https://www.cve.org/CVERecord?id=CVE-2016-0792" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0792", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0792" }, { "category": "external", "summary": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24", "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24" } ], "release_date": "2016-02-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2016-05-03T15:30:17+00:00", "details": "Before applying this update, make sure all previously released errata \nrelevant to your system have been applied.\n\nThe Red Hat Enterprise Linux container images provided by this update can \nbe downloaded from the Red Hat Container Registry at \nregistry.access.redhat.com using the \"docker pull\" command. Dockerfiles and \nscripts should be amended either to refer to this new image specifically, \nor to the latest image generally.\n\nThe packages in this update are available via the Red Hat Network. Details \non how to use the Red Hat Network to apply this update are available at \nhttps://access.redhat.com/articles/11258.", "product_ids": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2016:0711" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, "products": [ "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.noarch", "7Server-RH7-RHOSE-3.1:jenkins-0:1.642.2-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-credentials-0:1.24-2.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-durable-task-0:1.7-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-kubernetes-0:0.5-1.el7.x86_64", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.src", "7Server-RH7-RHOSE-3.1:jenkins-plugin-openshift-pipeline-0:1.0.9-1.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins: Remote code execution through remote API (SECURITY-247)" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.