Executive Summary
Summary | |
---|---|
Title | jenkins security update |
Informations | |||
---|---|---|---|
Name | RHSA-2016:1206 | First vendor Publication | 2016-06-06 |
Vendor | RedHat | Last vendor Modification | 2016-06-06 |
Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5.8 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An updated Jenkins package and image that includes security fixes are now available for Red Hat OpenShift Enterprise 3.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Enterprise 3.1 - noarch, x86_64 Red Hat OpenShift Enterprise 3.2 - noarch, x86_64 3. Description: OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * The Jenkins continuous integration server has been updated to upstream version 1.651.2 LTS that addresses a large number of security issues, including open redirects, a potential denial of service, unsafe handling of user provided environment variables and several instances of sensitive information disclosure. (CVE-2016-3721, CVE-2016-3722, CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727) Refer to the changelog listed in the References section for a list of changes. This update includes the following image: openshift3/jenkins-1-rhel7:1.651.2-4 All OpenShift Enterprise 3.2 users are advised to upgrade to the updated package and image. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1333133 - better retry in accessing replication controllers from openshift jenkin-plugin 1335415 - CVE-2016-3721 jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170) 1335416 - CVE-2016-3722 jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243) 1335417 - CVE-2016-3723 jenkins: Information on installed plugins exposed via API (SECURITY-250) 1335418 - CVE-2016-3724 jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266) 1335420 - CVE-2016-3725 jenkins: Regular users can trigger download of update site metadata (SECURITY-273) 1335421 - CVE-2016-3726 jenkins: Open redirect to scheme-relative URLs (SECURITY-276) 1335422 - CVE-2016-3727 jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2016-1206.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-200 | Information Exposure |
33 % | CWE-264 | Permissions, Privileges, and Access Controls |
17 % | CWE-17 | Code |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-07-14 | Name : The remote Fedora host is missing a security update. File : fedora_2016-9ba53cf8a2.nasl - Type : ACT_GATHER_INFO |
2016-07-14 | Name : The remote Fedora host is missing a security update. File : fedora_2016-f7e7a6067d.nasl - Type : ACT_GATHER_INFO |
2016-07-14 | Name : The remote Fedora host is missing a security update. File : fedora_2016-fd6100dd68.nasl - Type : ACT_GATHER_INFO |
2016-05-12 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_e387834a17ef11e699477054d2909b71.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-06-07 00:23:36 |
|