Jenkins Cross-Site Request Forgery and Arbitrary Command Execution Vulnerabilities

Bugtraq ID:	69718
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Sep 08 2014 12:00AM
Updated:	Sep 08 2014 12:00AM
Credit:	JoeV
Vulnerable:	Jenkins-Ci Jenkins 1.578
Not Vulnerable:

Jenkins Cross-Site Request Forgery and Arbitrary Command Execution Vulnerabilities

Jenkins is prone to a cross-site request-forgery vulnerability and an arbitrary command-execution vulnerability.

Exploiting these issues may allow a remote attacker to execute arbitrary commands and perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.

Jenkins 1.578 is vulnerable; other versions may also be affected.

Jenkins Cross-Site Request Forgery and Arbitrary Command Execution Vulnerabilities

The following example data is available:

• /data/vulnerabilities/exploits/69718.txt

Jenkins Cross-Site Request Forgery and Arbitrary Command Execution Vulnerabilities

Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].