This script is Copyright (C) 2014 Tenable Network Security, Inc.
The remote web server hosts a job scheduling / management system that
is affected by multiple vulnerabilities.
The remote web server hosts a version of Jenkins or Jenkins Enterprise
that is affected by multiple vulnerabilities :
- A flaw in the default markup formatter allows cross-site
scripting via the Description field in the user
- A security bypass vulnerability allows remote
authenticated attackers to change configurations and
execute arbitrary jobs. (CVE-2013-7285, CVE-2013-7330,
- An unspecified flaw in the Winstone servlet allows
remote attackers to hijack sessions. (CVE-2014-2060)
- An input control flaw in 'PasswordParameterDefinition'
allows remote attackers to disclose sensitive
information including passwords. (CVE-2014-2061)
- A security bypass vulnerability due to API tokens not
being invalidated when a user is deleted.
- An unspecified flaw allows remote attackers to conduct
clickjacking attacks. (CVE-2014-2063)
- An information disclosure vulnerability in the
'loadUserByUsername' function allows remote attackers
to determine whether a user exists via vectors related
to failed login attempts. (CVE-2014-2064)
- A cross-site scripting vulnerability due to improper
input validation to the 'iconSize' cookie.
- A session fixation vulnerability allows remote attackers
to hijack web sessions. (CVE-2014-2066)
- An information disclosure vulnerability in the 'doIndex'
function in 'hudson/util/RemotingDiagnostics.java'
allows remote authenticated users with the
'ADMINISTRATOR' permission to obtain sensitive
information via heapDump. (CVE-2014-2068)
See also :
Upgrade to Jenkins 1.551 / 1.532.2 or Jenkins Enterprise 1.509.5.1 /
1.532.2.2 or later.
Risk factor :
High / CVSS Base Score : 9.0
CVSS Temporal Score : 9.0
Public Exploit Available : true