CVE-2016-3723

MEDIUM

Jenkins <2.3 & LTS <1.651.2 - Info Disclosure

Title source: llm

Description

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

References (4)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-1773.html

[Vendor Advisory] https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

[Vendor Advisory] https://www.cloudbees.com/jenkins-security-advisory-2016-05-11

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2016:1206

Scores

CVSS v3 4.3

EPSS 0.0007

EPSS Percentile 21.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (5)

jenkins/jenkins < 2.2

jenkins/jenkins < 1.651.1

redhat/openshift

org.jenkins-ci.main/jenkins-core < 2.3Maven

Timeline

Published May 17, 2016

Tracked Since Feb 18, 2026