Moderate severityNVD Advisory· Published Oct 16, 2014· Updated May 6, 2026
CVE-2014-3679
CVE-2014-3679
Description
The Monitoring plugin before 1.53.0 for Jenkins allows remote attackers to obtain sensitive information by accessing unspecified pages.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jvnet.hudson.plugins:monitoringMaven | < 1.53.0 | 1.53.0 |
Affected products
14cpe:2.3:a:jenkins-ci:monitoring_plugin:1.40.0:*:*:*:*:cloudbees_jenkins:*:*+ 13 more
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.40.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.41.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.42.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.43.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.44.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.45.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.46.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.47.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.48.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.49.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.50.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.51.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.52.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:*:*:*:*:*:cloudbees_jenkins:*:*range: <=1.52.1
Patches
1f0f6aeef2032[FIXED SECURITY-113]
1 file changed · +12 −1
src/main/java/org/jvnet/hudson/plugins/monitoring/HudsonMonitoringFilter.java+12 −1 modified@@ -19,6 +19,7 @@ package org.jvnet.hudson.plugins.monitoring; import java.io.IOException; +import java.util.Enumeration; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; @@ -69,9 +70,19 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha final String monitoringUrl = getMonitoringUrl(httpRequest); final String monitoringSlavesUrl = monitoringUrl + "/nodes"; if (!PLUGIN_AUTHENTICATION_DISABLED - && (requestURI.equals(monitoringUrl) || requestURI.equals(monitoringSlavesUrl))) { + && (requestURI.equals(monitoringUrl) || requestURI.startsWith(monitoringSlavesUrl))) { // only the Hudson/Jenkins administrator can view the monitoring report Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + Enumeration<?> parameterNames = request.getParameterNames(); + while (parameterNames.hasMoreElements()) { + String parameterName = (String) parameterNames.nextElement(); + for (String value : request.getParameterValues(parameterName)) { + if (value.indexOf('"') != -1 || value.indexOf('\'') != -1 || value.indexOf('<') != -1 || value.indexOf('&') != -1) { + ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST); + return; + } + } + } } if (requestURI.startsWith(monitoringSlavesUrl)) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-qwc3-p5pc-q93hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-3679ghsaADVISORY
- wiki.jenkins-ci.org/display/JENKINS/MonitoringnvdVendor AdvisoryWEB
- wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01nvdVendor AdvisoryWEB
- github.com/jenkinsci/monitoring-plugin/commit/f0f6aeef2032696c97d4b015dd51fa2b841b0473ghsaWEB
News mentions
0No linked articles in our index yet.