Jenkins Security Advisory reports:
This advisory announces a security vulnerability that was found in Jenkins core.
An attacker can then use this master cryptographic key to mount remote code execution attack against the Jenkins master, or impersonate arbitrary users in making REST API calls.
There are several factors that mitigate some of these problems that may apply to specific installations.
- The particular attack vector is only applicable on Jenkins instances that have slaves attached to them, and allow anonymous read access.
- Jenkins allows users to re-generate the API tokens. Those re-generated API tokens cannot be impersonated by the attacker.
Disclaimer: The data contained on this page is derived from the VuXML document, please refer to the the original document for copyright information. The author of portaudit makes no claim of authorship or ownership of any of the information contained herein.
If you have found a vulnerability in a FreeBSD port not listed in the database, please contact the FreeBSD Security Team. Refer to "FreeBSD Security Information" for more information.