CVE-2016-3727: Jenkins Exposes Sensitive Information via API URL
(updated )
The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.
References
- access.redhat.com/errata/RHSA-2016:1206
- github.com/advisories/GHSA-6cr3-cm5h-8q96
- github.com/jenkinsci/jenkins
- github.com/jenkinsci/jenkins/commit/d66ad6f3ee46a5c6bb865bb831e8cdfc74cd7eb3
- nvd.nist.gov/vuln/detail/CVE-2016-3727
- wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
- www.cloudbees.com/jenkins-security-advisory-2016-05-11
Detect and mitigate CVE-2016-3727 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →