CVE-2016-3725 — Improper Handling of Insufficient Permissions or Privileges in Jenkins

CWE-264 CWE-280 — Improper Handling of Insufficient Permissions or Privileges8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 62.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift

Timeline

PublishedMay 17

Latest updateMay 14

Description

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDjenkins/jenkins1.651.1+1

▶NVDredhat/openshift3.1, 3.2+1

🔴Vulnerability Details

GHSA

Missing permissions check in Jenkins Core↗2022-05-14

▶

OSV

Missing permissions check in Jenkins Core↗2022-05-14

▶

CVEList

CVE-2016-3725: Jenkins before 2↗2016-05-17

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2016-05-11↗2016-05-11

▶

Red Hat

jenkins: Regular users can trigger download of update site metadata (SECURITY-273)↗2016-05-11

▶

💬Community

Bugzilla

CVE-2016-3725 jenkins: Regular users can trigger download of update site metadata (SECURITY-273)↗2016-05-12

▶

Bugzilla

CVE-2016-3721 CVE-2016-3722 CVE-2016-3723 CVE-2016-3724 CVE-2016-3725 CVE-2016-3726 CVE-2016-3727 jenkins: various flaws [fedora-all]↗2016-05-12

▶