The following flaw was found in Jenkins: When creating a job using the create-job CLI command, external entities are not discarded (nor processed). If these job configurations are processed by another user with an XML-aware tool (e.g. using get-job/update-job), information from that user's computer may be disclosed to Jenkins and the attacker. Exploiting this flaw requires a high degree of specific user interaction, and the limited information that can be gained this way. External References: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Fixed in Fedora in: jenkins-1.609.3-3.fc22 jenkins-1.625.2-2.fc23 jenkins-1.625.2-2.fc24
This issue has been addressed in the following products: RHEL 7 Version of OpenShift Enterprise 3.1 Via RHSA-2016:0070 https://access.redhat.com/errata/RHSA-2016:0070
This issue has been addressed in the following products: Red Hat OpenShift Enterprise 2.2 Via RHSA-2016:0489 https://rhn.redhat.com/errata/RHSA-2016-0489.html