CVE-2014-2058 — Jenkins allows attackers to execute arbitrary jobs

Description

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

How to fix CVE-2014-2058

To remediate CVE-2014-2058, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.main:jenkins-core—upgrade to 1.551 or later

Is CVE-2014-2058 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.533, < 1.551

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-2058
PATCHgithub.com/jenkinsci/jenkins
WEBgithub.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e
WEBwiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14