Jenkins Multiple Plugins Vulnerabilities


Description   (#Several vulnerabilities have been identified in plugins for Jenkins:#- CVE-2016-4986: path traversal in TAP due to an improper filtering of a parameter, leading to arbitrary files read on the file system##- CVE-2016-4987: path traversal in Image Gallery due to an improper validation of form fields, leading to arbitrary directories listing and files read on the file system##- CVE-2016-4988: reflected cross-site scripting in Build Failure Analyzer due to an improper filtering of a parameter, leading to arbitrary HTML or JavaScript code execution.)
     
Vulnerable Products   Vulnerable Software:
Jenkins (Jenkins CI) -
     
Solution   - TAP Plugin: 1.25.
     
CVE   CVE-2016-4988
CVE-2016-4987
CVE-2016-4986
     
References   - Jenkins : Security Advisory 2016-06-20
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-06-20 

 Target Type 
Server 

 Possible exploit 
Remote