Show vulnerabilities with patch / with exploit

Multiple vulnerabilities in Jenkins and LTS



Published: 2020-03-26
Severity Low
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2020-2163
CVE-2020-2162
CVE-2020-2161
CVE-2020-2160
CWE ID CWE-79
CWE-352
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Jenkins
Server applications / Application servers

Jenkins LTS
Server applications / Application servers

Vendor Jenkins

Security Advisory

1) Stored cross-site scripting

Severity: Low

CVSSv3: 5.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-2163

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in list view column headers. A remote authenticated attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Jenkins: 2.0, 2.1, 2.2, 2.44, 2.45, 2.46, 2.46.1, 2.46.2, 2.46.3, 2.47, 2.48, 2.49, 2.50, 2.51, 2.52, 2.53, 2.54, 2.55, 2.56, 2.57, 2.58, 2.59, 2.60, 2.60.1, 2.60.2, 2.60.3, 2.61, 2.62, 2.63, 2.64, 2.65, 2.66, 2.67, 2.68, 2.69, 2.70, 2.71, 2.72, 2.73, 2.73.1, 2.73.2, 2.73.3, 2.74, 2.75, 2.76, 2.77, 2.78, 2.79, 2.80, 2.81, 2.82, 2.83, 2.84, 2.85, 2.86, 2.87, 2.88, 2.89, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.90, 2.91, 2.92, 2.93, 2.94, 2.95, 2.96, 2.97, 2.98, 2.99, 2.100, 2.101, 2.102, 2.103, 2.104, 2.105, 2.106, 2.107, 2.107.1, 2.107.2, 2.107.3, 2.108, 2.109, 2.110, 2.111, 2.112, 2.113, 2.114, 2.115, 2.116, 2.117, 2.118, 2.119, 2.120, 2.121, 2.121.1, 2.121.2, 2.121.3, 2.122, 2.123, 2.124, 2.125, 2.126, 2.127, 2.128, 2.129, 2.130, 2.131, 2.132, 2.133, 2.134, 2.135, 2.136, 2.137, 2.138, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.139, 2.140, 2.141, 2.142, 2.143, 2.144, 2.145, 2.146, 2.147, 2.148, 2.149, 2.150, 2.150.1, 2.150.2, 2.150.3, 2.151, 2.152, 2.153, 2.154, 2.155, 2.156, 2.157, 2.158, 2.159, 2.160, 2.161, 2.162, 2.163, 2.164, 2.164.1, 2.164.2, 2.164.3, 2.165, 2.166, 2.167, 2.168, 2.169, 2.170, 2.171, 2.172, 2.173, 2.174, 2.175, 2.176, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.177, 2.178, 2.179, 2.180, 2.181, 2.182, 2.183, 2.184, 2.185, 2.186, 2.187, 2.189, 2.190, 2.190.1, 2.190.2, 2.190.3, 2.191, 2.192, 2.193, 2.194, 2.195, 2.196, 2.197, 2.198, 2.199, 2.200, 2.201, 2.202, 2.203, 2.204, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5, 2.204.6, 2.205, 2.206, 2.207, 2.208, 2.209, 2.210, 2.211, 2.212, 2.213, 2.214, 2.215, 2.216, 2.217, 2.218, 2.219, 2.220, 2.221, 2.222, 2.222.1, 2.223, 2.224, 2.225, 2.226, 2.227

Jenkins LTS: 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.32.1, 2.32.2, 2.32.3, 2.46.1, 2.46.2, 2.46.3, 2.60.1, 2.60.2, 2.60.3, 2.73.1, 2.73.2, 2.73.3, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.107.1, 2.107.2, 2.107.3, 2.121.1, 2.121.2, 2.121.3, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.150.1, 2.150.2, 2.150.3, 2.164.1, 2.164.2, 2.164.3, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.190.1, 2.190.2, 2.190.3, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5

CPE External links

http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1796

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Stored cross-site scripting

Severity: Low

CVSSv3: 5.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-2162

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in file parameters. A remote authenticated attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Jenkins: 2.0, 2.1, 2.2, 2.44, 2.45, 2.46, 2.46.1, 2.46.2, 2.46.3, 2.47, 2.48, 2.49, 2.50, 2.51, 2.52, 2.53, 2.54, 2.55, 2.56, 2.57, 2.58, 2.59, 2.60, 2.60.1, 2.60.2, 2.60.3, 2.61, 2.62, 2.63, 2.64, 2.65, 2.66, 2.67, 2.68, 2.69, 2.70, 2.71, 2.72, 2.73, 2.73.1, 2.73.2, 2.73.3, 2.74, 2.75, 2.76, 2.77, 2.78, 2.79, 2.80, 2.81, 2.82, 2.83, 2.84, 2.85, 2.86, 2.87, 2.88, 2.89, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.90, 2.91, 2.92, 2.93, 2.94, 2.95, 2.96, 2.97, 2.98, 2.99, 2.100, 2.101, 2.102, 2.103, 2.104, 2.105, 2.106, 2.107, 2.107.1, 2.107.2, 2.107.3, 2.108, 2.109, 2.110, 2.111, 2.112, 2.113, 2.114, 2.115, 2.116, 2.117, 2.118, 2.119, 2.120, 2.121, 2.121.1, 2.121.2, 2.121.3, 2.122, 2.123, 2.124, 2.125, 2.126, 2.127, 2.128, 2.129, 2.130, 2.131, 2.132, 2.133, 2.134, 2.135, 2.136, 2.137, 2.138, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.139, 2.140, 2.141, 2.142, 2.143, 2.144, 2.145, 2.146, 2.147, 2.148, 2.149, 2.150, 2.150.1, 2.150.2, 2.150.3, 2.151, 2.152, 2.153, 2.154, 2.155, 2.156, 2.157, 2.158, 2.159, 2.160, 2.161, 2.162, 2.163, 2.164, 2.164.1, 2.164.2, 2.164.3, 2.165, 2.166, 2.167, 2.168, 2.169, 2.170, 2.171, 2.172, 2.173, 2.174, 2.175, 2.176, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.177, 2.178, 2.179, 2.180, 2.181, 2.182, 2.183, 2.184, 2.185, 2.186, 2.187, 2.189, 2.190, 2.190.1, 2.190.2, 2.190.3, 2.191, 2.192, 2.193, 2.194, 2.195, 2.196, 2.197, 2.198, 2.199, 2.200, 2.201, 2.202, 2.203, 2.204, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5, 2.204.6, 2.205, 2.206, 2.207, 2.208, 2.209, 2.210, 2.211, 2.212, 2.213, 2.214, 2.215, 2.216, 2.217, 2.218, 2.219, 2.220, 2.221, 2.222, 2.222.1, 2.223, 2.224, 2.225, 2.226, 2.227

Jenkins LTS: 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.32.1, 2.32.2, 2.32.3, 2.46.1, 2.46.2, 2.46.3, 2.60.1, 2.60.2, 2.60.3, 2.73.1, 2.73.2, 2.73.3, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.107.1, 2.107.2, 2.107.3, 2.121.1, 2.121.2, 2.121.3, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.150.1, 2.150.2, 2.150.3, 2.164.1, 2.164.2, 2.164.3, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.190.1, 2.190.2, 2.190.3, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5

CPE External links

http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1793

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Stored cross-site scripting

Severity: Low

CVSSv3: 5.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-2161

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in labels for nodes. A remote authenticated attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Jenkins: 2.0, 2.1, 2.2, 2.44, 2.45, 2.46, 2.46.1, 2.46.2, 2.46.3, 2.47, 2.48, 2.49, 2.50, 2.51, 2.52, 2.53, 2.54, 2.55, 2.56, 2.57, 2.58, 2.59, 2.60, 2.60.1, 2.60.2, 2.60.3, 2.61, 2.62, 2.63, 2.64, 2.65, 2.66, 2.67, 2.68, 2.69, 2.70, 2.71, 2.72, 2.73, 2.73.1, 2.73.2, 2.73.3, 2.74, 2.75, 2.76, 2.77, 2.78, 2.79, 2.80, 2.81, 2.82, 2.83, 2.84, 2.85, 2.86, 2.87, 2.88, 2.89, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.90, 2.91, 2.92, 2.93, 2.94, 2.95, 2.96, 2.97, 2.98, 2.99, 2.100, 2.101, 2.102, 2.103, 2.104, 2.105, 2.106, 2.107, 2.107.1, 2.107.2, 2.107.3, 2.108, 2.109, 2.110, 2.111, 2.112, 2.113, 2.114, 2.115, 2.116, 2.117, 2.118, 2.119, 2.120, 2.121, 2.121.1, 2.121.2, 2.121.3, 2.122, 2.123, 2.124, 2.125, 2.126, 2.127, 2.128, 2.129, 2.130, 2.131, 2.132, 2.133, 2.134, 2.135, 2.136, 2.137, 2.138, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.139, 2.140, 2.141, 2.142, 2.143, 2.144, 2.145, 2.146, 2.147, 2.148, 2.149, 2.150, 2.150.1, 2.150.2, 2.150.3, 2.151, 2.152, 2.153, 2.154, 2.155, 2.156, 2.157, 2.158, 2.159, 2.160, 2.161, 2.162, 2.163, 2.164, 2.164.1, 2.164.2, 2.164.3, 2.165, 2.166, 2.167, 2.168, 2.169, 2.170, 2.171, 2.172, 2.173, 2.174, 2.175, 2.176, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.177, 2.178, 2.179, 2.180, 2.181, 2.182, 2.183, 2.184, 2.185, 2.186, 2.187, 2.189, 2.190, 2.190.1, 2.190.2, 2.190.3, 2.191, 2.192, 2.193, 2.194, 2.195, 2.196, 2.197, 2.198, 2.199, 2.200, 2.201, 2.202, 2.203, 2.204, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5, 2.204.6, 2.205, 2.206, 2.207, 2.208, 2.209, 2.210, 2.211, 2.212, 2.213, 2.214, 2.215, 2.216, 2.217, 2.218, 2.219, 2.220, 2.221, 2.222, 2.222.1, 2.223, 2.224, 2.225, 2.226, 2.227

Jenkins LTS: 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.32.1, 2.32.2, 2.32.3, 2.46.1, 2.46.2, 2.46.3, 2.60.1, 2.60.2, 2.60.3, 2.73.1, 2.73.2, 2.73.3, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.107.1, 2.107.2, 2.107.3, 2.121.1, 2.121.2, 2.121.3, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.150.1, 2.150.2, 2.150.3, 2.164.1, 2.164.2, 2.164.3, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.190.1, 2.190.2, 2.190.3, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5

CPE External links

http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Cross-site request forgery

Severity: Low

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-2160

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin for any URL. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Jenkins: 2.0, 2.1, 2.2, 2.44, 2.45, 2.46, 2.46.1, 2.46.2, 2.46.3, 2.47, 2.48, 2.49, 2.50, 2.51, 2.52, 2.53, 2.54, 2.55, 2.56, 2.57, 2.58, 2.59, 2.60, 2.60.1, 2.60.2, 2.60.3, 2.61, 2.62, 2.63, 2.64, 2.65, 2.66, 2.67, 2.68, 2.69, 2.70, 2.71, 2.72, 2.73, 2.73.1, 2.73.2, 2.73.3, 2.74, 2.75, 2.76, 2.77, 2.78, 2.79, 2.80, 2.81, 2.82, 2.83, 2.84, 2.85, 2.86, 2.87, 2.88, 2.89, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.90, 2.91, 2.92, 2.93, 2.94, 2.95, 2.96, 2.97, 2.98, 2.99, 2.100, 2.101, 2.102, 2.103, 2.104, 2.105, 2.106, 2.107, 2.107.1, 2.107.2, 2.107.3, 2.108, 2.109, 2.110, 2.111, 2.112, 2.113, 2.114, 2.115, 2.116, 2.117, 2.118, 2.119, 2.120, 2.121, 2.121.1, 2.121.2, 2.121.3, 2.122, 2.123, 2.124, 2.125, 2.126, 2.127, 2.128, 2.129, 2.130, 2.131, 2.132, 2.133, 2.134, 2.135, 2.136, 2.137, 2.138, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.139, 2.140, 2.141, 2.142, 2.143, 2.144, 2.145, 2.146, 2.147, 2.148, 2.149, 2.150, 2.150.1, 2.150.2, 2.150.3, 2.151, 2.152, 2.153, 2.154, 2.155, 2.156, 2.157, 2.158, 2.159, 2.160, 2.161, 2.162, 2.163, 2.164, 2.164.1, 2.164.2, 2.164.3, 2.165, 2.166, 2.167, 2.168, 2.169, 2.170, 2.171, 2.172, 2.173, 2.174, 2.175, 2.176, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.177, 2.178, 2.179, 2.180, 2.181, 2.182, 2.183, 2.184, 2.185, 2.186, 2.187, 2.189, 2.190, 2.190.1, 2.190.2, 2.190.3, 2.191, 2.192, 2.193, 2.194, 2.195, 2.196, 2.197, 2.198, 2.199, 2.200, 2.201, 2.202, 2.203, 2.204, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5, 2.204.6, 2.205, 2.206, 2.207, 2.208, 2.209, 2.210, 2.211, 2.212, 2.213, 2.214, 2.215, 2.216, 2.217, 2.218, 2.219, 2.220, 2.221, 2.222, 2.222.1, 2.223, 2.224, 2.225, 2.226, 2.227

Jenkins LTS: 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.32.1, 2.32.2, 2.32.3, 2.46.1, 2.46.2, 2.46.3, 2.60.1, 2.60.2, 2.60.3, 2.73.1, 2.73.2, 2.73.3, 2.89.1, 2.89.2, 2.89.3, 2.89.4, 2.107.1, 2.107.2, 2.107.3, 2.121.1, 2.121.2, 2.121.3, 2.138.1, 2.138.2, 2.138.3, 2.138.4, 2.150.1, 2.150.2, 2.150.3, 2.164.1, 2.164.2, 2.164.3, 2.176.1, 2.176.2, 2.176.3, 2.176.4, 2.190.1, 2.190.2, 2.190.3, 2.204.1, 2.204.2, 2.204.3, 2.204.4, 2.204.5

CPE External links

http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.