CVE-2014-3665 - OpenCVE

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Jenkins

Configuration 1 [-]

cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1147767
https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control	Vendor Advisory
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30	Vendor Advisory
https://www.cloudbees.com/jenkins-security-advisory-2014-10-30	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2015-11-25T20:00:00

Updated: 2016-06-09T16:57:01

Reserved: 2014-05-14T00:00:00

Link: CVE-2014-3665

JSON object: View

NVD Information

Status : Modified

Published: 2015-11-25T20:59:00.190

Modified: 2023-02-13T00:41:42.943

Link: CVE-2014-3665

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*", "matchCriteriaId": "90230A3F-36A2-45C9-A506-31CC896ABE21", "versionEndIncluding": "1.586", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "A50FA41C-BF02-4D87-B1DA-7F3EE6E9C367", "versionEndIncluding": "1.565.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave."}, {"lang": "es", "value": "Jenkins en versiones anteriores a 1.587 y LTS en versiones anteriores a 1.580.1 no asegura correctamente la separaci\u00f3n de confianza entre un maestro y un esclavo, lo que podr\u00eda permitir a atacantes remotos ejecutar c\u00f3digo arbitrario en el maestro aprovechando el acceso al esclavo."}], "id": "CVE-2014-3665", "lastModified": "2023-02-13T00:41:42.943", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-11-25T20:59:00.190", "references": [{"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1147767"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://www.cloudbees.com/jenkins-security-advisory-2014-10-30"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}