Fluid Attacks Database

Description

Jenkins allows for Privilege Escalation by Remote Authenticated Users The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.main:jenkins-core	>=1.597 <1.606 \|\| >=0 <1.596.2	1.606, 1.596.2

Aliases

1. CVE-2015-18142. NVD-2015-18143. OSV-2015-18144. GCVE-2015-18145. access.redhat.com

References

1. https://github.com/jenkinsci/jenkins/commit/57e78880cc035874bda916ef4d8d7fd7642af9db2. https://bugzilla.redhat.com/show_bug.cgi?id=12056163. https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-234. http://rhn.redhat.com/errata/RHSA-2015-1844.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.