Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:93063
HistoryApr 28, 2017 - 12:00 a.m.

Jenkins Multiple CSRF vulnerabilities (CVE-2017-1000356)

2017-04-2800:00:00
Root
www.seebug.org
21

0.009 Low

EPSS

Percentile

80.8%

JSON

Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. The most notable ones:

  • SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished

  • SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself

  • SECURITY-413: Install and (optionally) dynamically load any plugin present on a configured update site

  • SECURITY-414: Remove any update site from the Jenkins configuration

  • SECURITY-415: Change a user’s API token

  • SECURITY-416: Submit system configuration

  • SECURITY-417: Submit global security configuration

  • SECURITY-418, SECURITY-420: For Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process

  • SECURITY-419: Create a new agent, possibly executing arbitrary shell commands on the master node by choosing the appropriate launch method

  • SECURITY-420: Cancel a scheduled restart

  • SECURITY-420: Configure the global logging levels

  • SECURITY-420: Create a copy of an existing agent

  • SECURITY-420: Create copies of views in users’ β€œMy Views” or as children of the experimental β€œTree View” feature

  • SECURITY-420: Enter β€œquiet down” mode in which no new builds are started

  • SECURITY-420: On Windows, after successful installation as a service, restart

  • SECURITY-420: On Windows, try to install Jenkins as a service

  • SECURITY-420: Set the descriptions of items (jobs), builds, and users

  • SECURITY-420: Submit global tools configuration (Jenkins 2.0 and up)

  • SECURITY-420: Toggle keeping a build forever (i.e. exclude or include it in log rotation)

  • SECURITY-420: Try to connect all disconnected agents simultaneously

  • SECURITY-420: Update the node monitor data on all agents

The above, as well as several other more minor issues, have all been fixed and these actions now require POST requests, and, if configured, a CSRF crumb, to work.

Related

osv 2
checkpoint_advisories 1
ubuntucve 1
redhatcve 1
prion 1
cve 1
github 1
archlinux 1
nessus 2
freebsd 1
openvas 2
osv
osv
CVE-2017-1000356
2018-01-29 17:29:00
Cross-Site Request Forgery in Jenkins
2022-05-14 03:44:36
checkpoint_advisories
checkpoint_advisories
Jenkins CI Server Multiple Cross-Site Request Forgery (CVE-2017-1000356)
2017-06-07 00:00:00
ubuntucve
ubuntucve
CVE-2017-1000356
2018-01-29 00:00:00
redhatcve
redhatcve
CVE-2017-1000356
2017-04-27 09:48:18
prion
prion
Authentication flaw
2018-01-29 17:29:00
cve
cve
CVE-2017-1000356
2018-01-29 17:29:00
github
github
Cross-Site Request Forgery in Jenkins
2022-05-14 03:44:36
archlinux
archlinux
[ASA-201704-8] jenkins: multiple issues
2017-04-27 00:00:00
nessus
nessus
Jenkins < 2.46.2 / 2.57 and Jenkins Enterprise < 1.625.24.1 / 1.651.24.1 / 2.7.24.0.1 / 2.46.2.1 Multiple Vulnerabilities
2017-05-04 00:00:00
FreeBSD : jenkins -- multiple vulnerabilities (631c4710-9be5-4a80-9310-eb2847fe24dd)
2017-04-27 00:00:00
freebsd
freebsd
jenkins -- multiple vulnerabilities
2017-04-26 00:00:00
openvas
openvas
Jenkins Multiple Vulnerabilities (Apr 2017) - Windows
2017-04-28 00:00:00
Jenkins Multiple Vulnerabilities (Apr 2017) - Linux
2017-04-28 00:00:00

0.009 Low

EPSS

Percentile

80.8%

JSON
Related for SSV:93063
osv2checkpoint_advisories1ubuntucve1redhatcve1prion1cve1github1archlinux1nessus2freebsd1openvas2