https://bugzilla.redhat.com/show_bug.cgi?id=1335417 Bug ID: 1335417 Summary: CVE-2016-3723 jenkins: Information on installed plugins exposed via API (SECURITY-250) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jialiu(a)redhat.com, jkeck(a)redhat.com, joelsmith(a)redhat.com, jokerman(a)redhat.com, kseifried(a)redhat.com, lmeyer(a)redhat.com, mizdebsk(a)redhat.com, mmccomas(a)redhat.com, msrb(a)redhat.com, tdawson(a)redhat.com, tiwillia(a)redhat.com The following flaw was found in Jenkins: The XML/JSON API endpoints providing information about installed plugins were missing permissions checks, allowing any user with read access to Jenkins to determine which plugins and versions were installed. External References: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20... -- You are receiving this mail because: You are on the CC list for the bug.