K17455 : Multiple Jenkins vulnerabilities

Security Advisory Description

• CVE-2015-1806

It was found that the combination filter Groovy script could allow a remote attacker to potentially execute arbitrary code on a Jenkins master.

• CVE-2015-1807

It was found that when building artifacts, the Jenkins server would follow symbolic links, potentially resulting in disclosure of information on the server.

• CVE-2015-1808

A denial of service flaw was found in the way Jenkins handled certain update center data. An authenticated user could provide specially crafted update center data to Jenkins, causing plug-in and tool installation to not work properly.

• CVE-2015-1809

It was found that Jenkins’ XPath handling allowed XML External Entity (XXE) expansion. A remote attacker with read access could use this flaw to read arbitrary XML files on the Jenkins server.

• CVE-2015-1810

It was discovered that the internal Jenkins user database did not restrict access to reserved names, allowing users to escalate privileges.

• CVE-2015-1811

It was found that Jenkins’ XML handling allowed XML External Entity (XXE) expansion. A remote attacker with the ability to pass XML data to Jenkins could use this flaw to read arbitrary XML files on the Jenkins server.

• CVE-2015-1812

Two cross-site scripting (XSS) flaws were found in Jenkins. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Jenkins.

• CVE-2015-1813

Two cross-site scripting (XSS) flaws were found in Jenkins. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Jenkins.

• CVE-2015-1814

A flaw was found in the Jenkins API token-issuing service. The service was not properly protected against anonymous users, potentially allowing remote attackers to escalate privileges.
Impact
There is no impact; F5 products are not affected by these vulnerabilities.