This advisory announces a security vulnerability that was found
in Jenkins core.
An attacker can then use this master cryptographic key to mount
remote code execution attack against the Jenkins master, or
impersonate arbitrary users in making REST API calls.
There are several factors that mitigate some of these problems
that may apply to specific installations.
- The particular attack vector is only applicable on Jenkins
instances that have slaves attached to them, and allow
anonymous read access.
- Jenkins allows users to re-generate the API tokens. Those
re-generated API tokens cannot be impersonated by the
attacker.