CVE-2016-3727: Infoleak
First published: Thu May 12 2016(Updated: )
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Jenkins | <2.3 | 2.3 |
| redhat/Jenkins | <1.651.2 | 1.651.2 |
| Jenkins LTS | <=2.2 | |
| Jenkins LTS | <=1.651.1 | |
| Red Hat OpenShift | =3.1 | |
| Red Hat OpenShift | =3.2 | |
| maven/org.jenkins-ci.main:jenkins-core | <1.651.2 | 1.651.2 |
| maven/org.jenkins-ci.main:jenkins-core | >=1.652<2.3 | 2.3 |
| <=2.2 | ||
| <=1.651.1 | ||
| =3.1 | ||
| =3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1335427
- https://access.redhat.com/errata/RHSA-2016:1206
- https://rhn.redhat.com/errata/RHSA-2016-1773.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1335422
- https://www.cloudbees.com/jenkins-security-advisory-2016-05-11
- http://rhn.redhat.com/errata/RHSA-2016-1773.html
- https://nvd.nist.gov/vuln/detail/CVE-2016-3727
- https://github.com/jenkinsci/jenkins/commit/d66ad6f3ee46a5c6bb865bb831e8cdfc74cd7eb3
- https://github.com/advisories/GHSA-6cr3-cm5h-8q96 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2016-3727?
CVE-2016-3727 has been assigned a moderate severity rating due to the potential exposure of sensitive configuration information.
How do I fix CVE-2016-3727?
To mitigate CVE-2016-3727, upgrade Jenkins to version 2.3 or later, or to LTS version 1.651.2 or later.
Who is affected by CVE-2016-3727?
CVE-2016-3727 affects remote authenticated users with extended read permissions on the master node in Jenkins versions prior to 2.3 and LTS prior to 1.651.2.
What type of information can be accessed via CVE-2016-3727?
CVE-2016-3727 allows unauthorized access to sensitive global configuration information in Jenkins.
When was CVE-2016-3727 disclosed?
CVE-2016-3727 was disclosed on May 11, 2016.
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-3727
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6cr3-cm5h-8q96
- agent/last-modified-date
- agent/references
- agent/severity
- agent/source
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins lts
- version/jenkins lts/2.2
- version/jenkins lts/1.651.1
- vendor/redhat
- canonical/red hat openshift
- version/red hat openshift/3.1
- version/red hat openshift/3.2
- package-manager/maven