CVE-2014-2068 — Jenkins allows attackers to obtain sensitive information

Description

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

How to fix CVE-2014-2068

To remediate CVE-2014-2068, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.main:jenkins-core—upgrade to 1.551 or later

Is CVE-2014-2068 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.533, < 1.551

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-2068
PATCHgithub.com/jenkinsci/jenkins
WEBgithub.com/jenkinsci/jenkins/commit/0530a6645aac10fec005614211660e98db44b5eb
WEBwiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14