cnvd - cnvd-2016-03162

cnvd-2016-03162

Vulnerability from cnvd

Title: CloudBees Jenkins CI和Jenkins LTS信息泄露漏洞（CNVD-2016-03162）

Description:

CloudBees Jenkins CI（前称Hudson Labs）是美国CloudBees公司的一套基于Java开发的持续集成工具，它主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。LTS（Long-Term Support）是CloudBees Jenkins CI的一个长期支持版本。

CloudBees Jenkins CI 2.2及之前版本和Jenkins LTS 1.651.1及之前版本的/computer/(master)/api/xml API URL中存在安全漏洞。攻击者可利用该漏洞以‘extended read’权限查看全局配置。

Severity: 中

Patch Name: CloudBees Jenkins CI和Jenkins LTS信息泄露漏洞（CNVD-2016-03162）的补丁

Patch Description:

CloudBees Jenkins CI 2.2及之前版本和Jenkins LTS 1.651.1及之前版本的/computer/(master)/api/xml API URL中存在安全漏洞。攻击者可利用该漏洞以‘extended read’权限查看全局配置。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

Reference: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

Impacted products

Name
['CloudBees Jenkins CI <=2.2', 'CloudBees Jenkins LTS <=1.651.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-3727"
    }
  },
  "description": "CloudBees Jenkins CI\uff08\u524d\u79f0Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03/\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002LTS\uff08Long-Term Support\uff09\u662fCloudBees Jenkins CI\u7684\u4e00\u4e2a\u957f\u671f\u652f\u6301\u7248\u672c\u3002\r\n\r\nCloudBees Jenkins CI 2.2\u53ca\u4e4b\u524d\u7248\u672c\u548cJenkins LTS 1.651.1\u53ca\u4e4b\u524d\u7248\u672c\u7684/computer/(master)/api/xml API URL\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5\u2018extended read\u2019\u6743\u9650\u67e5\u770b\u5168\u5c40\u914d\u7f6e\u3002",
  "discovererName": "Jesse Glick, CloudBees, Inc",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-03162",
  "openTime": "2016-05-16",
  "patchDescription": "CloudBees Jenkins CI\uff08\u524d\u79f0Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03/\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002LTS\uff08Long-Term Support\uff09\u662fCloudBees Jenkins CI\u7684\u4e00\u4e2a\u957f\u671f\u652f\u6301\u7248\u672c\u3002\r\n\r\nCloudBees Jenkins CI 2.2\u53ca\u4e4b\u524d\u7248\u672c\u548cJenkins LTS 1.651.1\u53ca\u4e4b\u524d\u7248\u672c\u7684/computer/(master)/api/xml API URL\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5\u2018extended read\u2019\u6743\u9650\u67e5\u770b\u5168\u5c40\u914d\u7f6e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "CloudBees Jenkins CI\u548cJenkins LTS\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2016-03162\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "CloudBees Jenkins CI \u003c=2.2",
      "CloudBees Jenkins LTS \u003c=1.651.1"
    ]
  },
  "referenceLink": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11",
  "serverity": "\u4e2d",
  "submitTime": "2016-05-13",
  "title": "CloudBees Jenkins CI\u548cJenkins LTS\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2016-03162\uff09"
}

CVE-2016-3727 (GCVE-0-2016-3727)

Vulnerability from cvelistv5

Published

2016-05-17 14:00

Modified

2024-08-06 00:03

Severity ?

CWE

Summary

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

References

▼	URL	Tags
	https://www.cloudbees.com/jenkins-security-advisory-2016-05-11	x_refsource_CONFIRM
	https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2016:1206	vendor-advisory, x_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2016-1773.html	vendor-advisory, x_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T00:03:34.534Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.cloudbees.com/jenkins-security-advisory-2016-05-11"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11"
          },
          {
            "name": "RHSA-2016:1206",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1206"
          },
          {
            "name": "RHSA-2016:1773",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-05-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-04T19:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.cloudbees.com/jenkins-security-advisory-2016-05-11"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11"
        },
        {
          "name": "RHSA-2016:1206",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1206"
        },
        {
          "name": "RHSA-2016:1773",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-3727",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cloudbees.com/jenkins-security-advisory-2016-05-11",
              "refsource": "CONFIRM",
              "url": "https://www.cloudbees.com/jenkins-security-advisory-2016-05-11"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11"
            },
            {
              "name": "RHSA-2016:1206",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:1206"
            },
            {
              "name": "RHSA-2016:1773",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-3727",
    "datePublished": "2016-05-17T14:00:00",
    "dateReserved": "2016-03-30T00:00:00",
    "dateUpdated": "2024-08-06T00:03:34.534Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted