This advisory announces multiple vulnerabilities in Jenkins.
SECURITY-232 / CVE-2016-0788
A vulnerability in the Jenkins remoting module allowed unauthenticated remote attackers to open a JRMP listener on the server hosting the Jenkins controller process, which allowed arbitrary code execution.
SECURITY-238 / CVE-2016-0789
An HTTP response splitting vulnerability in the CLI command documentation allowed attackers to craft Jenkins URLs that serve malicious content.
SECURITY-241 / CVE-2016-0790
The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.
SECURITY-245 / CVE-2016-0791
The verification of user-provided CSRF crumbs with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid CSRF crumbs using brute-force methods.
SECURITY-232 is considered critical as it allows unprivileged attackers to execute arbitrary code in many configurations.
SECURITY-238 is considered medium as it allows unprivileged attackers to send maliciously crafted links that result e.g. in XSS to victims.
SECURITY-241 is considered high as it allows unprivileged attackers to brute-force valid login credentials.
SECURITY-245 is considered medium as it allows unprivileged attackers to brute-force CSRF protection.
SECURITY-247 is considered high as it allows low-privilege attackers to execute arbitrary code on the Jenkins controller.
All Jenkins main line releases up to and including 1.649
All Jenkins LTS releases up to and including 1.642.1
Jenkins main line users should update to 1.650
Jenkins LTS users should update to 1.642.2
These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.
The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:
Moritz Bechler for SECURITY-232
Seung-Hyun Cho for SECURITY-238
Steve Marlowe <firstname.lastname@example.org> of Cisco ASIG for SECURITY-241
James Nord, CloudBees, Inc. for SECURITY-245
Arshan Dabirsiaghi, Contrast Security for SECURITY-247