oss-sec mailing list archives
Re: Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Sat, 18 Nov 2017 08:23:48 +0100
On 11. Oct 2017, at 18:25, Daniel Beck <ml () beckweb net> wrote: SECURITY-557 Maven Plugin bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
CVE-2017-1000397
SECURITY-597 Swarm Plugin Client bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
CVE-2017-1000402
SECURITY-623 Speaks! Plugin allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts.
CVE-2017-1000403
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 11)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 17)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 23)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 17)