CVE-2016-3727 — Sensitive Information Exposure in Jenkins

CWE-200 — Sensitive Information Exposure9 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 74.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift

Timeline

PublishedMay 17

Latest updateMay 14

Description

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDjenkins/jenkins2.2+1

▶NVDredhat/openshift3.1, 3.2+1

🔴Vulnerability Details

OSV

Jenkins Exposes Sensitive Information via API URL↗2022-05-14

▶

GHSA

Jenkins Exposes Sensitive Information via API URL↗2022-05-14

▶

CVEList

CVE-2016-3727: The API URL computer/(master)/api/xml in Jenkins before 2↗2016-05-17

▶

📋Vendor Advisories

Red Hat

jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281)↗2016-05-11

▶

Jenkins

Jenkins Security Advisory 2016-05-11↗2016-05-11

▶

💬Community

HackerOne

Outdated Jenkins server hosted at OwnCloud.org↗2017-03-30

▶

Bugzilla

CVE-2016-3727 jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281)↗2016-05-12

▶

Bugzilla

CVE-2016-3721 CVE-2016-3722 CVE-2016-3723 CVE-2016-3724 CVE-2016-3725 CVE-2016-3726 CVE-2016-3727 jenkins: various flaws [fedora-all]↗2016-05-12

▶