CVE-2014-3665 — Execution with Unnecessary Privileges in Jenkins

CWE-264 CWE-250 — Execution with Unnecessary Privileges CWE-284 — Improper Access Control12 documents6 sources

Severity

7.5HIGHNVD

NVD6.8GHSA6.8OSV6.8

EPSS

0.4%

top 42.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift Jenkins Core +1 more

Timeline

PublishedNov 25

Latest updateMay 17

Description

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

▶NVDjenkins/jenkins1.625.1+3

▶jenkinsjenkins/jenkins_lts

▶jenkinsjenkins/jenkins_core

▶NVDredhat/openshift3.1+1

🔴Vulnerability Details

OSV

Jenkins improperly ensures trust separation↗2022-05-17

▶

GHSA

Jenkins improperly ensures trust separation↗2022-05-17

▶

OSV

Jenkins allows Bypass of Access Restrictions↗2022-05-13

▶

GHSA

Jenkins allows Bypass of Access Restrictions↗2022-05-13

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2015-11-11↗2015-11-11

▶

Red Hat

jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)↗2015-11-11

▶

Red Hat

jenkins: remote code execution from slaves (SECURITY-144)↗2014-10-30

▶

Jenkins

Jenkins Security Advisory 2014-10-30↗2014-10-30

▶

💬Community

Bugzilla

CVE-2015-5325 jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)↗2015-11-16

▶

Bugzilla

CVE-2014-3665 jenkins: remote code execution from slaves (SECURITY-144)↗2014-09-30

▶