Jenkins Security Advisory reports:
This advisory announces multiple security vulnerabilities that
were found in Jenkins core.
- One of the vulnerabilities allows cross-site request
forgery (CSRF) attacks on Jenkins master, which causes an user
to make unwanted actions on Jenkins. Another vulnerability
enables cross-site scripting (XSS) attacks, which has the similar
consequence. Another vulnerability allowed an attacker to bypass
the CSRF protection mechanism in place, thereby mounting more CSRF
attackes. These attacks allow an attacker without direct access to
Jenkins to mount an attack.
- In the fourth vulnerability, a malicious user of Jenkins can trick
Jenkins into building jobs that he does not have direct access to.
- And lastly, a vulnerability allows a malicious user of Jenkins to
mount a denial of service attack by feeding a carefully crafted
payload to Jenkins.