This script is Copyright (C) 2016 Tenable Network Security, Inc.
The remote FreeBSD host is missing one or more security-related
Jenkins Security Advisory : DescriptionSECURITY-232 /
CVE-2016-0788(Remote code execution vulnerability in remoting module)
A vulnerability in the Jenkins remoting module allowed unauthenticated
remote attackers to open a JRMP listener on the server hosting the
Jenkins master process, which allowed arbitrary code execution.
SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability) An
HTTP response splitting vulnerability in the CLI command documentation
allowed attackers to craft Jenkins URLs that serve malicious content.
SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API
token) The verification of user-provided API tokens with the expected
value did not use a constant-time comparison algorithm, potentially
allowing attackers to use statistical methods to determine valid API
tokens using brute-force methods. SECURITY-245 /
CVE-2016-0791(Non-constant time comparison of CSRF crumbs) The
verification of user-provided CSRF crumbs with the expected value did
not use a constant-time comparison algorithm, potentially allowing
attackers to use statistical methods to determine valid CSRF crumbs
using brute-force methods. SECURITY-247 / CVE-2016-0792(Remote code
execution through remote API) Jenkins has several API endpoints that
allow low-privilege users to POST XML files that then get deserialized
by Jenkins. Maliciously crafted XML files sent to these API endpoints
could result in arbitrary code execution.
See also :
Update the affected packages.
Risk factor :
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now