Jenkins < 1.502 / 1.480.3 and Jenkins Enterprise 1.447.x / 1.466.x / 1.480.x < 1.447.7.1 / 1.466.13.1 / 1.480.3.1 Multiple Vulnerabilities

High Nessus Plugin ID 65056

Synopsis

The remote web server hosts a job scheduling / management system that
is affected by multiple vulnerabilities.

Description

The remote web server hosts a version of Jenkins or Jenkins Enterprise
that is affected by multiple vulnerabilities :

- An unspecified cross-site scripting vulnerability.
(CVE-2013-0328)

- Multiple unspecified cross-site request forgery
vulnerabilities. (CVE-2013-0327, CVE-2013-0329)

- An unspecified denial of service vulnerability.
(CVE-2013-0331)

- An unspecified security bypass vulnerability exists
that could allow an attacker to build otherwise
restricted jobs. (CVE-2013-0330)

Solution

Upgrade to Jenkins 1.502 / 1.480.3, Jenkins Enterprise 1.447.7.1 /
1.466.13.1 / 1.480.3.1 or later.

See Also

http://www.nessus.org/u?874c7641

http://www.nessus.org/u?02083a79

Plugin Details

Severity: High

ID: 65056

File Name: jenkins_1_502.nasl

Version: 1.13

Type: remote

Family: CGI abuses

Published: 2013/03/06

Modified: 2018/11/28

Dependencies: 65054

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:cloudbees:jenkins

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2013/02/16

Vulnerability Publication Date: 2013/02/16

Reference Information

CVE: CVE-2013-0327, CVE-2013-0328, CVE-2013-0329, CVE-2013-0330, CVE-2013-0331

BID: 58454, 58456, 58721, 58722, 58726

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990