Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.
{"id": "RH:CVE-2017-1000356", "type": "redhatcve", "bulletinFamily": "info", "title": "CVE-2017-1000356", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.\n", "published": "2017-04-27T09:48:18", "modified": "2021-10-13T16:56:34", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://access.redhat.com/security/cve/cve-2017-1000356", "reporter": "redhat.com", "references": ["https://jenkins.io/security/advisory/2017-04-26/", "https://bugzilla.redhat.com/show_bug.cgi?id=1446110"], "cvelist": ["CVE-2017-1000356"], "immutableFields": [], "lastseen": "2021-10-13T19:51:55", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201704-8"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0481"]}, {"type": "cve", "idList": ["CVE-2017-1000356"]}, {"type": "freebsd", "idList": ["631C4710-9BE5-4A80-9310-EB2847FE24DD"]}, {"type": "github", "idList": ["GHSA-85WQ-PQHP-HMQ6"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_631C47109BE54A809310EB2847FE24DD.NASL", "JENKINS_2_57.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310107156", "OPENVAS:1361412562310107157"]}, {"type": "osv", "idList": ["OSV:GHSA-85WQ-PQHP-HMQ6"]}, {"type": "seebug", "idList": ["SSV:93063"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-1000356"]}]}, "score": {"value": 4.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201704-8"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0481"]}, {"type": "cve", "idList": ["CVE-2017-1000356"]}, {"type": "freebsd", "idList": ["631C4710-9BE5-4A80-9310-EB2847FE24DD"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_631C47109BE54A809310EB2847FE24DD.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310107156", "OPENVAS:1361412562310107157"]}, {"type": "seebug", "idList": ["SSV:93063"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-1000356"]}]}, "exploitation": null, "vulnersScore": 4.2}, "vendorCvss": {"score": "5.4", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}, "_state": {"dependencies": 1659988328, "score": 1659993974}, "_internal": {"score_hash": "c66465d6f32afca46f42227843cbd0a0"}}
{"ubuntucve": [{"lastseen": "2022-08-04T13:52:43", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are\nvulnerable to an issue in the Jenkins user database authentication realm:\ncreate an account if signup is enabled; or create an account if the victim\nis an administrator, possibly deleting the existing default admin user in\nthe process and allowing a wide variety of impacts.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-01-29T00:00:00", "type": "ubuntucve", "title": "CVE-2017-1000356", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000356"], "modified": "2018-01-29T00:00:00", "id": "UB:CVE-2017-1000356", "href": "https://ubuntu.com/security/CVE-2017-1000356", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-01-10T05:08:07", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-14T03:44:36", "type": "osv", "title": "Cross-Site Request Forgery in Jenkins", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000356"], "modified": "2023-01-10T05:08:03", "id": "OSV:GHSA-85WQ-PQHP-HMQ6", "href": "https://osv.dev/vulnerability/GHSA-85wq-pqhp-hmq6", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:34:53", "description": "Multiple Cross-Site Request Forgery vulnerabilities exists in Jenkins CI. The vulnerabilities are due to a lack of CSRF protections on certain types of requests. A remote, unauthenticated attacker can exploit these vulnerabilities by enticing an authenticated user to click a maliciously crafted link or open a maliciously crafted web page. Successful exploitation of these vulnerabilities could lead to a variety of effects including denial-of-service, configuration changes, and, in the worst case, arbitrary command execution with the privileges of Jenkins.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-07T00:00:00", "type": "checkpoint_advisories", "title": "Jenkins CI Server Multiple Cross-Site Request Forgery (CVE-2017-1000356)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000356"], "modified": "2017-06-14T00:00:00", "id": "CPAI-2017-0481", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T11:57:53", "description": "Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. The most notable ones:\r\n\r\n* SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished\r\n\r\n* SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself\r\n\r\n* SECURITY-413: Install and (optionally) dynamically load any plugin present on a configured update site\r\n\r\n* SECURITY-414: Remove any update site from the Jenkins configuration\r\n\r\n* SECURITY-415: Change a user\u2019s API token\r\n\r\n* SECURITY-416: Submit system configuration\r\n\r\n* SECURITY-417: Submit global security configuration\r\n\r\n* SECURITY-418, SECURITY-420: For Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default _admin_ user in the process\r\n\r\n* SECURITY-419: Create a new agent, possibly executing arbitrary shell commands on the master node by choosing the appropriate launch method\r\n\r\n* SECURITY-420: Cancel a scheduled restart\r\n\r\n* SECURITY-420: Configure the global logging levels\r\n\r\n* SECURITY-420: Create a copy of an existing agent\r\n\r\n* SECURITY-420: Create copies of views in users' \"My Views\" or as children of the experimental \"Tree View\" feature\r\n\r\n* SECURITY-420: Enter \"quiet down\" mode in which no new builds are started\r\n\r\n* SECURITY-420: On Windows, after successful installation as a service, restart\r\n\r\n* SECURITY-420: On Windows, try to install Jenkins as a service\r\n\r\n* SECURITY-420: Set the descriptions of items (jobs), builds, and users\r\n\r\n* SECURITY-420: Submit global tools configuration (Jenkins 2.0 and up)\r\n\r\n* SECURITY-420: Toggle keeping a build forever (i.e. exclude or include it in log rotation)\r\n\r\n* SECURITY-420: Try to connect all disconnected agents simultaneously\r\n\r\n* SECURITY-420: Update the node monitor data on all agents\r\n\r\nThe above, as well as several other more minor issues, have all been fixed and these actions now require POST requests, and, if configured, a CSRF crumb, to work.", "cvss3": {}, "published": "2017-04-28T00:00:00", "type": "seebug", "title": "Jenkins Multiple CSRF vulnerabilities (CVE-2017-1000356)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-1000356"], "modified": "2017-04-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93063", "id": "SSV:93063", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "github": [{"lastseen": "2023-01-27T05:06:52", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-14T03:44:36", "type": "github", "title": "Cross-Site Request Forgery in Jenkins", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000356"], "modified": "2023-01-27T05:02:38", "id": "GHSA-85WQ-PQHP-HMQ6", "href": "https://github.com/advisories/GHSA-85wq-pqhp-hmq6", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T12:09:34", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-01-29T17:29:00", "type": "cve", "title": "CVE-2017-1000356", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000356"], "modified": "2018-02-15T13:15:00", "cpe": ["cpe:/a:jenkins:jenkins:2.56", "cpe:/a:jenkins:jenkins:2.46.1"], "id": "CVE-2017-1000356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000356", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.56:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.46.1:*:*:*:lts:*:*:*"]}], "archlinux": [{"lastseen": "2021-07-28T16:34:11", "description": "Arch Linux Security Advisory ASA-201704-8\n=========================================\n\nSeverity: High\nDate : 2017-04-27\nCVE-ID : CVE-2017-1000354 CVE-2017-1000355 CVE-2017-1000356\nPackage : jenkins\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-255\n\nSummary\n=======\n\nThe package jenkins before version 2.57-1 is vulnerable to multiple\nissues including cross-site request forgery, privilege escalation and\narbitrary code execution.\n\nResolution\n==========\n\nUpgrade to 2.57-1.\n\n# pacman -Syu \"jenkins>=2.57-1\"\n\nThe problems have been fixed upstream in version 2.57.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2017-1000354 (privilege escalation)\n\nThe login command available in the remoting-based CLI stored the\nencrypted user name of the successfully authenticated user in a cache\nfile used to authenticate further commands. Users with sufficient\npermission to create secrets in Jenkins, and download their encrypted\nvalues (e.g. with Job/Configure permission), were able to impersonate\nany other Jenkins user on the same instance.\n\nThis has been fixed by storing the cached authentication as a hash-\nbased MAC with a key specific to the Jenkins instance and the CLI\nauthentication cache.\n\nPreviously cached authentications are invalidated when upgrading\nJenkins to a version containing a fix for this.\n\n- CVE-2017-1000355 (arbitrary code execution)\n\nJenkins uses the XStream library to serialize and deserialize XML. Its\nmaintainer recently published a security vulnerability that allows\nanyone able to provide XML to Jenkins for processing using XStream to\ncrash the Java process. In Jenkins this typically applies to users with\npermission to create or configure items (jobs), views, or agents.\n\nJenkins now prohibits the attempted deserialization of void / Void that\nresults in a crash.\n\n- CVE-2017-1000356 (cross-site request forgery)\n\nMultiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed\nmalicious users to perform several administrative actions by tricking a\nvictim into opening a web page. The most notable ones:\n\nSECURITY-412: Restart Jenkins immediately, after all builds are\nfinished, or after all plugin installations and builds are finished\nSECURITY-412: Schedule a downgrade of Jenkins to a previously installed\nversion if Jenkins previously upgraded itself\nSECURITY-413: Install and (optionally) dynamically load any plugin\npresent on a configured update site\nSECURITY-414: Remove any update site from the Jenkins configuration\nSECURITY-415: Change a user\u2019s API token\nSECURITY-416: Submit system configuration\nSECURITY-417: Submit global security configuration\nSECURITY-418, SECURITY-420: For Jenkins user database authentication\nrealm: create an account if signup is enabled; or create an account if\nthe victim is an administrator, possibly deleting the existing default\nadmin user in the process\nSECURITY-419: Create a new agent, possibly executing arbitrary shell\ncommands on the master node by choosing the appropriate launch method\nSECURITY-420: Update the node monitor data on all agents\n\nImpact\n======\n\nA remote attacker can escalate privileges, execute arbitrary code or\nexecute cross-site request forgery which allows the attacker to perform\nseveral administrative actions.\n\nReferences\n==========\n\nhttps://jenkins.io/security/advisory/2017-04-26/\nhttp://seclists.org/oss-sec/2017/q2/132\nhttp://www.openwall.com/lists/oss-security/2017/04/03/4\nhttps://security.archlinux.org/CVE-2017-1000354\nhttps://security.archlinux.org/CVE-2017-1000355\nhttps://security.archlinux.org/CVE-2017-1000356", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-27T00:00:00", "type": "archlinux", "title": "[ASA-201704-8] jenkins: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000354", "CVE-2017-1000355", "CVE-2017-1000356"], "modified": "2017-04-27T00:00:00", "id": "ASA-201704-8", "href": "https://security.archlinux.org/ASA-201704-8", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-10-18T15:20:52", "description": "Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allow malicious users to\n perform several administrative actions by tricking a victim into opening a web page.", "cvss3": {}, "published": "2017-04-28T00:00:00", "type": "openvas", "title": "Jenkins Multiple Vulnerabilities - Apr17 (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000355", "CVE-2017-1000354", "CVE-2017-1000356", "CVE-2017-1000353"], "modified": "2019-10-17T00:00:00", "id": "OPENVAS:1361412562310107156", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107156", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins Multiple Vulnerabilities - Apr17 (Linux)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107156\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-28 12:09:09 +0200 (Fri, 28 Apr 2017)\");\n script_cve_id(\"CVE-2017-1000353\", \"CVE-2017-1000354\", \"CVE-2017-1000355\", \"CVE-2017-1000356\");\n script_bugtraq_id(98056);\n\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"Jenkins Multiple Vulnerabilities - Apr17 (Linux)\");\n\n script_tag(name:\"summary\", value:\"Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allow malicious users to\n perform several administrative actions by tricking a victim into opening a web page.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - multiple Cross-Site Request Forgery vulnerabilities.\n\n - the storage of the encrypted user name in a cache file which is used to authenticate further commands.\n\n - XStream library which allow anyone able to provide XML to Jenkins for processing using XStream to crash the Java process.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to:\n\n - perform several administrative actions by tricking a victim into opening a web page.execute arbitrary code in the context\n of the affected application.\n\n - to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new\n ObjectInputStream, bypassing the existing blacklist-based protection mechanism.\n\n - impersonate any other Jenkins user on the same instance.\n\n - crash the Java process.\");\n\n script_tag(name:\"affected\", value:\"Jenkins main line 2.56 and prior, Jenkins LTS 2.46.1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Jenkins main line users should update to 2.57,\n Jenkins LTS users should update to 2.46.2.\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/98056\");\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2017-04-26/\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_unixoide\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"2.46.2\" ) ) {\n vuln = TRUE;\n fix = \"2.46.2\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.57\" ) ) {\n vuln = TRUE;\n fix = \"2.57\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T15:16:46", "description": "Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allow malicious users to\n perform several administrative actions by tricking a victim into opening a web page.", "cvss3": {}, "published": "2017-04-28T00:00:00", "type": "openvas", "title": "Jenkins Multiple Vulnerabilities - Apr17 (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000355", "CVE-2017-1000354", "CVE-2017-1000356", "CVE-2017-1000353"], "modified": "2019-10-17T00:00:00", "id": "OPENVAS:1361412562310107157", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107157", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins Multiple Vulnerabilities - Apr17 (Windows)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107157\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-28 12:09:09 +0200 (Fri, 28 Apr 2017)\");\n script_cve_id(\"CVE-2017-1000353\", \"CVE-2017-1000354\", \"CVE-2017-1000355\", \"CVE-2017-1000356\");\n script_bugtraq_id(98056);\n\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_name(\"Jenkins Multiple Vulnerabilities - Apr17 (Windows)\");\n\n script_tag(name:\"summary\", value:\"Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allow malicious users to\n perform several administrative actions by tricking a victim into opening a web page.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - multiple Cross-Site Request Forgery vulnerabilities.\n\n - the storage of the encrypted user name in a cache file which is used to authenticate further commands.\n\n - XStream library which allow anyone able to provide XML to Jenkins for processing using XStream to crash the Java process.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to:\n\n - perform several administrative actions by tricking a victim into opening a web page.execute arbitrary code in the context\n of the affected application.\n\n - to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new\n ObjectInputStream, bypassing the existing blacklist-based protection mechanism.\n\n - impersonate any other Jenkins user on the same instance.\n\n - crash the Java process.\");\n\n script_tag(name:\"affected\", value:\"Jenkins main line 2.56 and prior, Jenkins LTS 2.46.1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Jenkins main line users should update to 2.57,\n Jenkins LTS users should update to 2.46.2.\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/98056\");\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2017-04-26/\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_windows\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"2.46.2\" ) ) {\n vuln = TRUE;\n fix = \"2.46.2\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.57\" ) ) {\n vuln = TRUE;\n fix = \"2.57\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-06-13T22:15:16", "description": "\n\nJenkins Security Advisory:\n\nDescription\nSECURITY-412 through SECURITY-420 / CVE-2017-1000356\nCSRF: Multiple vulnerabilities\nSECURITY-429 / CVE-2017-1000353\nCLI: Unauthenticated remote code execution\nSECURITY-466 / CVE-2017-1000354\nCLI: Login command allowed impersonating any Jenkins user\nSECURITY-503 / CVE-2017-1000355\nXStream: Java crash when trying to instantiate void/Void\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-26T00:00:00", "type": "freebsd", "title": "jenkins -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353", "CVE-2017-1000354", "CVE-2017-1000355", "CVE-2017-1000356"], "modified": "2017-04-26T00:00:00", "id": "631C4710-9BE5-4A80-9310-EB2847FE24DD", "href": "https://vuxml.freebsd.org/freebsd/631c4710-9be5-4a80-9310-eb2847fe24dd.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T14:23:25", "description": "Jenkins Security Advisory : DescriptionSECURITY-412 through SECURITY-420 / CVE-2017-1000356 CSRF: Multiple vulnerabilities SECURITY-429 / CVE-2017-1000353 CLI: Unauthenticated remote code execution SECURITY-466 / CVE-2017-1000354 CLI: Login command allowed impersonating any Jenkins user SECURITY-503 / CVE-2017-1000355 XStream: Java crash when trying to instantiate void/Void", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-27T00:00:00", "type": "nessus", "title": "FreeBSD : jenkins -- multiple vulnerabilities (631c4710-9be5-4a80-9310-eb2847fe24dd)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353", "CVE-2017-1000354", "CVE-2017-1000355", "CVE-2017-1000356"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:jenkins", "p-cpe:/a:freebsd:freebsd:jenkins-lts", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_631C47109BE54A809310EB2847FE24DD.NASL", "href": "https://www.tenable.com/plugins/nessus/99698", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99698);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-1000353\", \"CVE-2017-1000354\", \"CVE-2017-1000355\", \"CVE-2017-1000356\");\n\n script_name(english:\"FreeBSD : jenkins -- multiple vulnerabilities (631c4710-9be5-4a80-9310-eb2847fe24dd)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Jenkins Security Advisory : DescriptionSECURITY-412 through\nSECURITY-420 / CVE-2017-1000356 CSRF: Multiple vulnerabilities\nSECURITY-429 / CVE-2017-1000353 CLI: Unauthenticated remote code\nexecution SECURITY-466 / CVE-2017-1000354 CLI: Login command allowed\nimpersonating any Jenkins user SECURITY-503 / CVE-2017-1000355\nXStream: Java crash when trying to instantiate void/Void\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://jenkins.io/security/advisory/2017-04-26/\"\n );\n # https://vuxml.freebsd.org/freebsd/631c4710-9be5-4a80-9310-eb2847fe24dd.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3062337c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Jenkins CLI Deserialization');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins-lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jenkins<2.57\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"jenkins-lts<2.46.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:25:34", "description": "The version of Jenkins running on the remote web server is prior to 2.57 or is a version of Jenkins LTS prior to 2.46.2, or else it is a version of Jenkins Enterprise that is 1.625.x.y prior to 1.625.24.1, 1.651.x.y prior to 1.651.24.1, 2.7.x.0.y prior to 2.7.24.0.1, or 2.x.y.z prior to 2.46.2.1. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists within core/src/main/java/jenkins/model/Jenkins.java that allows an untrusted serialized Java SignedObject to be transfered to the remoting-based Jenkins CLI and deserialized using a new ObjectInputStream. By using a specially crafted request, an unauthenticated, remote attacker can exploit this issue to bypass existing blacklist protection mechanisms and execute arbitrary code. (CVE-2017-1000353)\n\n - A flaw exists in the remoting-based CLI, specifically in the ClientAuthenticationCache.java class, when storing the encrypted username of a successfully authenticated user in a cache file that is used to authenticate further commands. An authenticated, remote attacker who has sufficient permissions to create secrets in Jenkins and download their encrypted values can exploit this issue to impersonate any other Jenkins user on the same instance. (CVE-2017-1000354)\n\n - A denial of service vulnerability exists in the XStream library. An authenticated, remote attacker who has sufficient permissions, such as creating or configuring items, views or jobs, can exploit this to crash the Java process by using specially crafted XML content.\n (CVE-2017-1000355)\n\n - Cross-site request forgery (XSRF) vulnerabilities exist within multiple Java classes due to a failure to require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit these to perform several administrative actions by convincing a user into opening a specially crafted web page.\n (CVE-2017-1000356)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-04T00:00:00", "type": "nessus", "title": "Jenkins < 2.46.2 / 2.57 and Jenkins Enterprise < 1.625.24.1 / 1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353", "CVE-2017-1000354", "CVE-2017-1000355", "CVE-2017-1000356"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cloudbees:jenkins", "cpe:/a:jenkins:jenkins"], "id": "JENKINS_2_57.NASL", "href": "https://www.tenable.com/plugins/nessus/99984", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99984);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2017-1000353\",\n \"CVE-2017-1000354\",\n \"CVE-2017-1000355\",\n \"CVE-2017-1000356\"\n );\n script_bugtraq_id(\n 98056,\n 98062,\n 98065,\n 98066\n );\n\n script_name(english:\"Jenkins < 2.46.2 / 2.57 and Jenkins Enterprise < 1.625.24.1 / 1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A job scheduling and management system hosted on the remote web server\nis affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Jenkins running on the remote web server is prior to\n2.57 or is a version of Jenkins LTS prior to 2.46.2, or else it is\na version of Jenkins Enterprise that is 1.625.x.y prior to 1.625.24.1,\n1.651.x.y prior to 1.651.24.1, 2.7.x.0.y prior to 2.7.24.0.1, or\n2.x.y.z prior to 2.46.2.1. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A remote code execution vulnerability exists within\n core/src/main/java/jenkins/model/Jenkins.java that\n allows an untrusted serialized Java SignedObject to be\n transfered to the remoting-based Jenkins CLI and\n deserialized using a new ObjectInputStream. By using a\n specially crafted request, an unauthenticated, remote\n attacker can exploit this issue to bypass existing\n blacklist protection mechanisms and execute arbitrary\n code. (CVE-2017-1000353)\n\n - A flaw exists in the remoting-based CLI, specifically in\n the ClientAuthenticationCache.java class, when storing\n the encrypted username of a successfully authenticated\n user in a cache file that is used to authenticate\n further commands. An authenticated, remote attacker who\n has sufficient permissions to create secrets in Jenkins\n and download their encrypted values can exploit this\n issue to impersonate any other Jenkins user on the same\n instance. (CVE-2017-1000354)\n\n - A denial of service vulnerability exists in the XStream\n library. An authenticated, remote attacker who has\n sufficient permissions, such as creating or configuring\n items, views or jobs, can exploit this to crash the Java\n process by using specially crafted XML content.\n (CVE-2017-1000355)\n\n - Cross-site request forgery (XSRF) vulnerabilities exist\n within multiple Java classes due to a failure to require\n multiple steps, explicit confirmation, or a unique token\n when performing certain sensitive actions. An\n unauthenticated, remote attacker can exploit these to\n perform several administrative actions by convincing a\n user into opening a specially crafted web page.\n (CVE-2017-1000356)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cloudbees.com/cloudbees-security-advisory-2017-04-26\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jenkins.io/security/advisory/2017-04-26/\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Jenkins to version 2.57 or later, Jenkins LTS to version\n2.46.2 or later, or Jenkins Enterprise to version 1.625.24.1 /\n1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1000353\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:jenkins:jenkins\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\", \"jenkins_win_installed.nbin\", \"jenkins_nix_installed.nbin\", \"macosx_jenkins_installed.nbin\");\n script_require_keys(\"installed_sw/Jenkins\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'Jenkins');\n\nvar constraints = [\n { 'fixed_version' : '2.57', 'edition':'Open Source' },\n { 'fixed_version' : '2.46.2', 'edition':'Open Source LTS' },\n { 'min_version' : '1.651', 'fixed_version' : '1.651.24.1', 'edition':'Enterprise' },\n { 'min_version' : '2.7', 'fixed_version' : '2.7.24.0.1', 'edition':'Enterprise' },\n { 'min_version' : '2', 'fixed_version' : '2.46.2.1', 'edition':'Enterprise', 'rolling_train' : TRUE },\n { 'min_version' : '1.625', 'fixed_version' : '1.625.24.1', 'edition':'Operations Center' },\n { 'min_version' : '2.7', 'fixed_version' : '2.7.24.0.1', 'edition':'Operations Center' },\n { 'min_version' : '2', 'fixed_version' : '2.46.2.1', 'edition':'Operations Center', 'rolling_train' : TRUE }\n];\n\nvcf::jenkins::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{xsrf:TRUE}\n);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2017-1000356
