FreeBSD : jenkins -- HTTP access to the server to retrieve the master cryptographic key (3a65d33b-5950-11e2-b66b-00e0814cab4e)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Jenkins Security Advisory reports :

This advisory announces a security vulnerability that was found in
Jenkins core.

An attacker can then use this master cryptographic key to mount remote
code execution attack against the Jenkins master, or impersonate
arbitrary users in making REST API calls.

There are several factors that mitigate some of these problems that
may apply to specific installations.

- The particular attack vector is only applicable on Jenkins instances
that have slaves attached to them, and allow anonymous read access.

- Jenkins allows users to re-generate the API tokens. Those
re-generated API tokens cannot be impersonated by the attacker.

See also :

http://www.nessus.org/u?0f8bc6d8
http://www.nessus.org/u?0ae5530d

Solution :

Update the affected package.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 63401 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now