CVE-2016-3725

MEDIUM

Jenkins <2.3 & LTS <1.651.2 - Privilege Escalation

Title source: llm

Description

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

References (4)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-1773.html

[Vendor Advisory] https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

[Vendor Advisory] https://www.cloudbees.com/jenkins-security-advisory-2016-05-11

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2016:1206

Scores

CVSS v3 4.3

EPSS 0.0016

EPSS Percentile 37.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-264

Status draft

Affected Products (5)

jenkins/jenkins < 1.651.1

jenkins/jenkins < 2.2

redhat/openshift

redhat/openshift

org.jenkins-ci.main/jenkins-core < 2.3Maven

Timeline

Published May 17, 2016

Tracked Since Feb 18, 2026