Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneComputer-engineerH1:208566
HistoryFeb 24, 2017 - 8:22 a.m.

ownCloud: Outdated Jenkins server hosted at OwnCloud.org

2017-02-2408:22:00
computer-engineer
hackerone.com
83

0.006 Low

EPSS

Percentile

77.7%

JSON

###Summary:
The target OwnCloud’s server is running an outdated version of Jenkins server which is vulnerable to various attacks.

Server Location: https://ci.owncloud.org

Vulnerable Software: Jenkins ver. 2.27

###Proof of Exploitability

CVE-2016-3727
POC URL: https://ci.owncloud.org/computer/(master)/api/xml

>Details:

> The API URL /computer/(master)/api/xml allowed users with the extended read permission for the master node to see some global Jenkins configuration, including the configuration of the security realm.

> Source: https://jenkins.io/security/advisory/2016-05-11/

Additionally, the current software version is also vulnerable to RCE.
>CVE-2017-2608

>XStream remote code execution vulnerability

>Affected Versions: < 2.43

> Source: https://jenkins.io/security/advisory/2017-02-01/

###Recommended Fix
Update Jenkins server to latest version 2.47

Related

prion 2
ubuntucve 2
cve 2
cvelist 2
redhatcve 5
nvd 2
veracode 1
osv 2
seebug 1
github 1
fedora 3
openvas 7
nessus 8
redhat 2
freebsd 2
impervablog 1
prion
prion
Information disclosure
2016-05-17 14:08:00
Remote code execution
2018-05-15 20:29:00
ubuntucve
ubuntucve
CVE-2016-3727
2016-05-17 00:00:00
CVE-2017-2608
2018-05-15 00:00:00
cve
cve
CVE-2016-3727
2016-05-17 14:08:11
CVE-2017-2608
2018-05-15 20:29:00
cvelist
cvelist
CVE-2016-3727
2016-05-17 14:00:00
CVE-2017-2608
2018-05-15 20:00:00
redhatcve
redhatcve
CVE-2016-3727
2016-05-12 08:48:44
CVE-2017-2608
2017-02-02 15:19:40
CVE-2020-26217
2020-11-18 10:26:26
nvd
nvd
CVE-2016-3727
2016-05-17 14:08:11
CVE-2017-2608
2018-05-15 20:29:00
veracode
veracode
Information Disclosure
2019-05-02 05:34:34
osv
osv
Deserialization of Untrusted Data in Jenkins
2022-05-13 01:36:54
CVE-2017-2608
2018-05-15 20:29:00
seebug
seebug
Jenkins remote code execution vulnerability (CVE-2017-2608)
2017-02-06 00:00:00
github
github
Deserialization of Untrusted Data in Jenkins
2022-05-13 01:36:54
fedora
fedora
[SECURITY] Fedora 24 Update: jenkins-1.651.2-1.fc24
2016-05-21 20:52:11
[SECURITY] Fedora 23 Update: jenkins-1.625.3-4.fc23
2016-05-26 21:54:36
[SECURITY] Fedora 22 Update: jenkins-1.609.3-7.fc22
2016-05-26 22:20:29
openvas
openvas
Fedora Update for jenkins FEDORA-2016-9ba53cf8a2
2016-06-08 00:00:00
Fedora Update for jenkins FEDORA-2016-f7e7a6067d
2016-06-08 00:00:00
Fedora Update for jenkins FEDORA-2016-fd6100dd68
2016-06-08 00:00:00
nessus
nessus
FreeBSD : jenkins -- multiple vulnerabilities (e387834a-17ef-11e6-9947-7054d2909b71)
2016-05-12 00:00:00
Fedora 24 : jenkins (2016-fd6100dd68)
2016-07-14 00:00:00
RHEL 7 : jenkins (RHSA-2016:1206)
2018-12-04 00:00:00
redhat
redhat
(RHSA-2016:1206) Moderate: jenkins security update
2016-06-06 18:57:05
(RHSA-2016:1773) Important: Red Hat OpenShift Enterprise 2.2.10 security, bug fix, and enhancement update
2016-08-24 19:27:03
freebsd
freebsd
jenkins -- multiple vulnerabilities
2016-05-11 00:00:00
jenkins -- multiple vulnerabilities
2017-02-01 00:00:00
impervablog
impervablog
Deserialization Attacks Surge Motivated by Illegal Crypto-mining
2018-01-24 17:45:08

0.006 Low

EPSS

Percentile

77.7%

JSON
Related for H1:208566
prion2ubuntucve2cve2cvelist2redhatcve5nvd2veracode1osv2seebug1github1fedora3openvas7nessus8redhat2freebsd2impervablog1