FreeBSD : jenkins -- multiple vulnerabilities (7e01df39-db7e-11e5-b937-00e0814cab4e)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Jenkins Security Advisory : DescriptionSECURITY-232 /
CVE-2016-0788(Remote code execution vulnerability in remoting module)
A vulnerability in the Jenkins remoting module allowed unauthenticated
remote attackers to open a JRMP listener on the server hosting the
Jenkins master process, which allowed arbitrary code execution.
SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability) An
HTTP response splitting vulnerability in the CLI command documentation
allowed attackers to craft Jenkins URLs that serve malicious content.
SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API
token) The verification of user-provided API tokens with the expected
value did not use a constant-time comparison algorithm, potentially
allowing attackers to use statistical methods to determine valid API
tokens using brute-force methods. SECURITY-245 /
CVE-2016-0791(Non-constant time comparison of CSRF crumbs) The
verification of user-provided CSRF crumbs with the expected value did
not use a constant-time comparison algorithm, potentially allowing
attackers to use statistical methods to determine valid CSRF crumbs
using brute-force methods. SECURITY-247 / CVE-2016-0792(Remote code
execution through remote API) Jenkins has several API endpoints that
allow low-privilege users to POST XML files that then get deserialized
by Jenkins. Maliciously crafted XML files sent to these API endpoints
could result in arbitrary code execution.

See also :

http://www.nessus.org/u?c87d9d2e
http://www.nessus.org/u?367b1645

Solution :

Update the affected packages.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 88945 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now