Jenkins developers report:
The agent to master security subsystem ensures that the Jenkins
master is protected from maliciously configured agents. A path
traversal vulnerability allowed agents to escape whitelisted
directories to read and write to files they should not be able to
access.
Black Duck Hub Plugin's API endpoint was affected by an XML
External Entity (XXE) processing vulnerability. This allowed an
attacker with Overall/Read access to have Jenkins parse a maliciously
crafted file that uses external entities for extraction of secrets
from the Jenkins master, server-side request forgery, or
denial-of-service attacks.
Several other lower severity issues were reported, see reference
url for details.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center