vulnerability
FreeBSD: jenkins -- multiple vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Feb 24, 2016 | Feb 26, 2016 | Feb 19, 2025 |
Description
Jenkins Security Advisory:
Description
SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)
A vulnerability in the Jenkins remoting module allowed
unauthenticated remote attackers to open a JRMP listener on the
server hosting the Jenkins master process, which allowed arbitrary
code execution.
SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability)
An HTTP response splitting vulnerability in the CLI command
documentation allowed attackers to craft Jenkins URLs that serve
malicious content.
SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)
The verification of user-provided API tokens with the expected
value did not use a constant-time comparison algorithm, potentially
allowing attackers to use statistical methods to determine valid
API tokens using brute-force methods.
SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)
The verification of user-provided CSRF crumbs with the expected
value did not use a constant-time comparison algorithm, potentially
allowing attackers to use statistical methods to determine valid
CSRF crumbs using brute-force methods.
SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)
Jenkins has several API endpoints that allow low-privilege users
to POST XML files that then get deserialized by Jenkins.
Maliciously crafted XML files sent to these API endpoints could
result in arbitrary code execution.
Solutions
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.