Jenkins Exposes Sensitive Information via API URL

GHSA-6cr3-cm5h-8q96 · CVE-2016-3727

Published May 14, 2022 · Modified Mar 13, 2025

Description

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-3727
WEB https://github.com/jenkinsci/jenkins/commit/d66ad6f3ee46a5c6bb865bb831e8cdfc74cd7eb3
WEB https://access.redhat.com/errata/RHSA-2016:1206
PACKAGE https://github.com/jenkinsci/jenkins
WEB https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
WEB https://www.cloudbees.com/jenkins-security-advisory-2016-05-11
WEB http://rhn.redhat.com/errata/RHSA-2016-1773.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes