Vigil@nce - Jenkins Plugins: six vulnerabilities
May 2017 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of Jenkins Plugins.
Impacted products: Jenkins Plugins not comprehensive.
Severity: 2/4.
Creation date: 21/03/2017.
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in Jenkins Plugins.
An attacker can act as a Man-in-the-Middle via SSH Slaves, in
order to read or write data in the session. [severity:2/4;
CVE-2017-2648]
An attacker can act as a Man-in-the-Middle via Active Directory,
in order to read or write data in the session. [severity:2/4;
CVE-2017-2649]
An attacker can bypass security features via Pipeline Classpath
Step, in order to escalate his privileges. [severity:2/4;
CVE-2017-2650]
An attacker can use Mailer, in order to send spam emails.
[severity:2/4; CVE-2017-2651]
An attacker can use Email Extension, in order to send spam emails.
[severity:2/4; CVE-2017-2654]
An attacker can bypass security features via Distributed Fork, in
order to escalate his privileges. [severity:2/4; CVE-2017-2652]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Jenkins-Plugins-six-vulnerabilities-22197