CVE-2014-2062

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Published Bysecurity@debian.org

Published DateOct 17, 2014, 15:55

Affected Versions(2)

org.jenkins-ci.main:jenkins-core(Maven)

Introduced1.533

Fixed1.551

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced0

Fixed1.532.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.main:jenkins-core(Maven)	1.533	1.551	N/A
org.jenkins-ci.main:jenkins-core(Maven)	0	1.532.2	N/A

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

6.5

Vector String

AV:N/AC:L/Au:S/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

6.5

Vector String

AV:N/AC:L/Au:S/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL