https://bugzilla.redhat.com/show_bug.cgi?id=1335417
Bug ID: 1335417
Summary: CVE-2016-3723 jenkins: Information on installed
plugins exposed via API (SECURITY-250)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kseifried(a)redhat.com, lmeyer(a)redhat.com,
mizdebsk(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com, tdawson(a)redhat.com,
tiwillia(a)redhat.com
The following flaw was found in Jenkins:
The XML/JSON API endpoints providing information about installed plugins were
missing permissions checks, allowing any user with read access to Jenkins to
determine which plugins and versions were installed.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.