FreeBSD : jenkins -- HTTP access to the server to retrieve the master cryptographic key (3a65d33b-5950-11e2-b66b-00e0814cab4e)

high Nessus Plugin ID 63401

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Jenkins Security Advisory reports :

This advisory announces a security vulnerability that was found in Jenkins core.

An attacker can then use this master cryptographic key to mount remote code execution attack against the Jenkins master, or impersonate arbitrary users in making REST API calls.

There are several factors that mitigate some of these problems that may apply to specific installations.

- The particular attack vector is only applicable on Jenkins instances that have slaves attached to them, and allow anonymous read access.

- Jenkins allows users to re-generate the API tokens. Those re-generated API tokens cannot be impersonated by the attacker.

Solution

Update the affected package.

See Also

http://www.nessus.org/u?0f8bc6d8

http://www.nessus.org/u?d9ac4ef7

Plugin Details

Severity: High

ID: 63401

File Name: freebsd_pkg_3a65d33b595011e2b66b00e0814cab4e.nasl

Version: 1.5

Type: local

Published: 1/8/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:jenkins, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 1/8/2013

Vulnerability Publication Date: 1/4/2013