{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","type":"maven","namespace":"org.jenkins-ci.main","name":"jenkins-core","version":"1.625.2","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.638","latest_non_vulnerable_version":"2.551","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43521?format=json","vulnerability_id":"VCID-126z-y9y8-zqhx","summary":"Jenkins does not Verify Checksums for Plugin Files\nThe Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/11479a2cc0a322a6bcd7e65667f3d24aa4d444bb","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/11479a2cc0a322a6bcd7e65667f3d24aa4d444bb"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/97adb71aa4509f91e408a16ba312e817ec015cf4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/97adb71aa4509f91e408a16ba312e817ec015cf4"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/9ec88357a354d8354728cc06e2b8c8b68aee58bf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/9ec88357a354d8354728cc06e2b8c8b68aee58bf"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/c158648afa8888bc49ac337c973d4e4bc050118e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/c158648afa8888bc49ac337c973d4e4bc050118e"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/f99cb46e06f394637067730a82f46bddc3567295","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/f99cb46e06f394637067730a82f46bddc3567295"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7539","reference_id":"CVE-2015-7539","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7539"},{"reference_url":"https://github.com/advisories/GHSA-x274-9m9r-fm5g","reference_id":"GHSA-x274-9m9r-fm5g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x274-9m9r-fm5g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62204?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.640","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.640"}],"aliases":["CVE-2015-7539","GHSA-x274-9m9r-fm5g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-126z-y9y8-zqhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43391?format=json","vulnerability_id":"VCID-ab4r-frnk-mqcc","summary":"Jenkins Vulnerable to Cross-Site Request Forgery (CSRF) Attack\nJenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/ba747888108d0db90d469c6d210b1df465d8fac1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/ba747888108d0db90d469c6d210b1df465d8fac1"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/ef2c0dc163695af3a57ad7a45571293377ff679b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/ef2c0dc163695af3a57ad7a45571293377ff679b"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7538","reference_id":"CVE-2015-7538","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7538"},{"reference_url":"https://github.com/advisories/GHSA-w7qm-fprw-cqgq","reference_id":"GHSA-w7qm-fprw-cqgq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w7qm-fprw-cqgq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62204?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.640","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.640"}],"aliases":["CVE-2015-7538","GHSA-w7qm-fprw-cqgq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ab4r-frnk-mqcc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43451?format=json","vulnerability_id":"VCID-bx69-k68h-3fbx","summary":"Jenkins Vulnerable to Cross-Site Request Forgery (CSRF) Attack\nCross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/40a28999e221a209212c30586be9c39049510bd1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/40a28999e221a209212c30586be9c39049510bd1"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7537","reference_id":"CVE-2015-7537","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7537"},{"reference_url":"https://github.com/advisories/GHSA-3vhr-f5xr-8vpx","reference_id":"GHSA-3vhr-f5xr-8vpx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3vhr-f5xr-8vpx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62204?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.640","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.640"}],"aliases":["CVE-2015-7537","GHSA-3vhr-f5xr-8vpx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bx69-k68h-3fbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43354?format=json","vulnerability_id":"VCID-cyyt-dv19-aqgz","summary":"Jenkins allows Exposure of Sensitive Information to an Unauthorized Actor\nJenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5320","reference_id":"CVE-2015-5320","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5320"},{"reference_url":"https://github.com/advisories/GHSA-449q-v4j2-5h8p","reference_id":"GHSA-449q-v4j2-5h8p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-449q-v4j2-5h8p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62085?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.638","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.638"}],"aliases":["CVE-2015-5320","GHSA-449q-v4j2-5h8p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cyyt-dv19-aqgz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43366?format=json","vulnerability_id":"VCID-gmne-mnta-7khy","summary":"Jenkins allows Unauthorized Viewing of Queue API Information\nJenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/33b55588a6a5f844a59f2cd8940d385c6d412eb5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/33b55588a6a5f844a59f2cd8940d385c6d412eb5"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/4a72e938d58598cd4bd3caa48ee9e8a3f60c30e4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/4a72e938d58598cd4bd3caa48ee9e8a3f60c30e4"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/581eb9ceb354b8a55c010d0547ff73cb6fd67a75","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/581eb9ceb354b8a55c010d0547ff73cb6fd67a75"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5324","reference_id":"CVE-2015-5324","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5324"},{"reference_url":"https://github.com/advisories/GHSA-5xmf-9vgr-53mj","reference_id":"GHSA-5xmf-9vgr-53mj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5xmf-9vgr-53mj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62085?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.638","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.638"}],"aliases":["CVE-2015-5324","GHSA-5xmf-9vgr-53mj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gmne-mnta-7khy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43386?format=json","vulnerability_id":"VCID-hzw1-bfa6-47au","summary":"Jenkins Vulnerable to Cross-Site Request Forgery (CSRF) Attack\nJenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/f53802bb82a25b295b6dfa3bf2a591a6c8552183","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/f53802bb82a25b295b6dfa3bf2a591a6c8552183"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5318","reference_id":"CVE-2015-5318","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5318"},{"reference_url":"https://github.com/advisories/GHSA-3wmv-7php-rhg5","reference_id":"GHSA-3wmv-7php-rhg5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3wmv-7php-rhg5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62085?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.638","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.638"}],"aliases":["CVE-2015-5318","GHSA-3wmv-7php-rhg5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hzw1-bfa6-47au"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43348?format=json","vulnerability_id":"VCID-jj3u-n2vy-5fe8","summary":"Jenkins discloses project names via fingerprints\nThe Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/0594c4cbccd24d4883fc0150e8fc511c9da63eb4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/0594c4cbccd24d4883fc0150e8fc511c9da63eb4"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-5317","reference_id":"","reference_type":"","scores":[],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-5317"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5317","reference_id":"CVE-2015-5317","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5317"},{"reference_url":"https://github.com/advisories/GHSA-8pqx-3rxx-f5pm","reference_id":"GHSA-8pqx-3rxx-f5pm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8pqx-3rxx-f5pm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62085?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.638","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.638"}],"aliases":["CVE-2015-5317","GHSA-8pqx-3rxx-f5pm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jj3u-n2vy-5fe8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43605?format=json","vulnerability_id":"VCID-jr67-gaw6-8kef","summary":"Jenkins has Local File Inclusion Vulnerability\nDirectory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/5431e397216b4ab80e58bdabcb06a0066bce6592","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/5431e397216b4ab80e58bdabcb06a0066bce6592"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5322","reference_id":"CVE-2015-5322","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5322"},{"reference_url":"https://github.com/advisories/GHSA-89vc-7frq-2rfj","reference_id":"GHSA-89vc-7frq-2rfj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-89vc-7frq-2rfj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62085?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.638","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.638"}],"aliases":["CVE-2015-5322","GHSA-89vc-7frq-2rfj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jr67-gaw6-8kef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43340?format=json","vulnerability_id":"VCID-kupx-qgas-r7fz","summary":"Jenkins allows Cross-Site Scripting (XSS)\nCross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/abe561499bbba2e725804c1117fc957028bbd608","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/abe561499bbba2e725804c1117fc957028bbd608"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5326","reference_id":"CVE-2015-5326","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5326"},{"reference_url":"https://github.com/advisories/GHSA-5mwr-jg3r-jv66","reference_id":"GHSA-5mwr-jg3r-jv66","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5mwr-jg3r-jv66"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62085?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.638","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.638"}],"aliases":["CVE-2015-5326","GHSA-5mwr-jg3r-jv66"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kupx-qgas-r7fz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43339?format=json","vulnerability_id":"VCID-qtrn-g5ck-d3gs","summary":"Jenkins has Information Disclosure via Sidepanel Widget\nThe sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/251bdb00ab3cf4435416f0a55fa3bccf7f58896a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/251bdb00ab3cf4435416f0a55fa3bccf7f58896a"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/9e439d462c28fe1c96799c89709dc5d0cb8ab8fa","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/9e439d462c28fe1c96799c89709dc5d0cb8ab8fa"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5321","reference_id":"CVE-2015-5321","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5321"},{"reference_url":"https://github.com/advisories/GHSA-4653-rmch-3g2g","reference_id":"GHSA-4653-rmch-3g2g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4653-rmch-3g2g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62085?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.638","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.638"}],"aliases":["CVE-2015-5321","GHSA-4653-rmch-3g2g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qtrn-g5ck-d3gs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43612?format=json","vulnerability_id":"VCID-swpw-2zw3-d3hy","summary":"Jenkins allows Bypass of Access Restrictions\nJenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/054a329c59171ca12ff98f7063ce7fd053ee08bf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/054a329c59171ca12ff98f7063ce7fd053ee08bf"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5325","reference_id":"CVE-2015-5325","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5325"},{"reference_url":"https://github.com/advisories/GHSA-x2q2-8pwq-fr5r","reference_id":"GHSA-x2q2-8pwq-fr5r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x2q2-8pwq-fr5r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62085?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.638","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.638"}],"aliases":["CVE-2015-5325","GHSA-x2q2-8pwq-fr5r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-swpw-2zw3-d3hy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43336?format=json","vulnerability_id":"VCID-uxkw-sxe4-gffs","summary":"Jenkins has XML External Entity (XXE) Vulnerability in Job Configuration via CLI\nXML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an \"XML-aware tool,\" as demonstrated by get-job and update-job.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/e78e9e8144f7304cf274cd4b756f458cf63a3556","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/e78e9e8144f7304cf274cd4b756f458cf63a3556"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5319","reference_id":"CVE-2015-5319","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5319"},{"reference_url":"https://github.com/advisories/GHSA-3j9c-cp7m-8w8g","reference_id":"GHSA-3j9c-cp7m-8w8g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3j9c-cp7m-8w8g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62085?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.638","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.638"}],"aliases":["CVE-2015-5319","GHSA-3j9c-cp7m-8w8g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uxkw-sxe4-gffs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43588?format=json","vulnerability_id":"VCID-vuwz-whaq-rybd","summary":"Jenkins allows Administrators to Access API Tokens\nJenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0070","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"reference_url":"https://github.com/jenkinsci/jenkins","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins"},{"reference_url":"https://github.com/jenkinsci/jenkins/commit/b3f16489ad5f15c3e749ed066cf6b4251f6668c6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jenkinsci/jenkins/commit/b3f16489ad5f15c3e749ed066cf6b4251f6668c6"},{"reference_url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11","reference_id":"","reference_type":"","scores":[],"url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5323","reference_id":"CVE-2015-5323","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5323"},{"reference_url":"https://github.com/advisories/GHSA-x4m5-j4x4-4wjg","reference_id":"GHSA-x4m5-j4x4-4wjg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x4m5-j4x4-4wjg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62086?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"},{"url":"http://public2.vulnerablecode.io/api/packages/62085?format=json","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core@1.638","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.638"}],"aliases":["CVE-2015-5323","GHSA-x4m5-j4x4-4wjg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vuwz-whaq-rybd"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.625.2"}