3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Kohsuke Kawaguchi from Jenkins team reports:
Historically, Jenkins master and slaves behaved as if
they altogether form a single distributed process. This
means a slave can ask a master to do just about anything
within the confinement of the operating system, such as
accessing files on the master or trigger other jobs on
Jenkins.
This has increasingly become problematic, as larger
enterprise deployments have developed more sophisticated
trust separation model, where the administators of a master
might take slaves owned by other teams. In such an
environment, slaves are less trusted than the master.
Yet the “single distributed process” assumption was not
communicated well to the users, resulting in vulnerabilities
in some deployments.
SECURITY-144 (CVE-2014-3665) introduces a new subsystem
to address this problem. This feature is off by default for
compatibility reasons. See Wiki for more details, who should
turn this on, and implications.
CVE-2014-3566 is rated high. It only affects
installations that accept slaves from less trusted
computers, but this will allow an owner of of such slave to
mount a remote code execution attack on Jenkins.
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%