Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-04-07 | CVE-2016-1531 | Permissions, Privileges, and Access Controls vulnerability in Exim Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. | 7.0 |
| 2016-04-07 | CVE-2016-0792 | Improper Input Validation vulnerability in multiple products Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando. | 8.8 |
| 2016-04-07 | CVE-2016-0791 | Information Exposure vulnerability in multiple products Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach. | 9.8 |
| 2016-04-07 | CVE-2016-0790 | 7PK - Security Features vulnerability in multiple products Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach. | 5.3 |
| 2016-04-07 | CVE-2016-0789 | Improper Input Validation vulnerability in multiple products CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | 6.1 |
| 2016-04-07 | CVE-2016-0788 | Permissions, Privileges, and Access Controls vulnerability in multiple products The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener. | 9.8 |
| 2016-04-07 | CVE-2016-2511 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in WebSVN 2.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the path parameter to log.php. | 6.1 |
| 2016-04-07 | CVE-2016-2216 | Improper Input Validation vulnerability in multiple products The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a. | 7.5 |
| 2016-04-07 | CVE-2016-2086 | Improper Input Validation vulnerability in multiple products Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. | 7.5 |
| 2016-04-07 | CVE-2016-0729 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple buffer overflows in (1) internal/XMLReader.cpp, (2) util/XMLURL.cpp, and (3) util/XMLUri.cpp in the XML Parser library in Apache Xerces-C before 3.1.3 allow remote attackers to cause a denial of service (segmentation fault or memory corruption) or possibly execute arbitrary code via a crafted document. | 9.8 |