FreeBSD: VID-AABA17AA-782E-4843-8A79-7756CFA2BF89: jenkins -- multiple vulnerabilities
Description
Jenkins developers report:
The Jenkins CLI sent different error responses for commands with
view and agent arguments depending on the existence of the specified
views or agents to unauthorized users. This allowed attackers to
determine whether views or agents with specified names exist.
The Jenkins CLI now returns the same error messages to unauthorized
users independent of the existence of specified view or agent
names
Some JavaScript confirmation dialogs included the item name in an
unsafe manner, resulting in a possible cross-site scripting
vulnerability exploitable by users with permission to create or
configure items.
JavaScript confirmation dialogs that include the item name now
properly escape it, so it can be safely displayed.
Solution(s)
- freebsd-upgrade-package-jenkins
- freebsd-upgrade-package-jenkins-lts
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center