[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb ! net>
Date: 2018-01-25 9:01:56
Message-ID: 199D28DA-A105-401F-B57F-26CEC04C9A80 () beckweb ! net
[Download RAW message or body]
> On 22. Jan 2018, at 12:35, Daniel Beck <ml@beckweb.net> wrote:
>
> SECURITY-655 (PMD)
CVE-2018-1000008
> SECURITY-656 (Checkstyle)
CVE-2018-1000009
> SECURITY-657 (DRY)
CVE-2018-1000010
> SECURITY-658 (FindBugs)
CVE-2018-1000011
> SECURITY-695 (Warnings)
CVE-2018-1000012
> Multiple plugins based on the Static Analysis Utilities plugin are affected by
> an XML External Entity (XXE) processing vulnerability. This allows attacker to
> configure build processes so that one of these plugins parses a maliciously
> crafted file that uses external entities for extraction of secrets from the
> Jenkins master, server-side request forgery, or denial-of-service attacks.
>
>
> SECURITY-607
> Release plugin did not require form submissions to be submitted via POST,
> resulting in a CSRF vulnerability allowing attackers to trigger release builds.
CVE-2018-1000013
> SECURITY-507
> Translation Assistance did not require form submissions to be submitted via
> POST, resulting in a CSRF vulnerability allowing attackers to override
> localized strings displayed to all users on the current Jenkins instance if
> the victim is a Jenkins administrator.
CVE-2018-1000014
> SECURITY-675
> On instances with Authorize Project plugin, the authentication associated with
> a build may lack the Computer/Build permission on some agents. This did not
> prevent the execution of Pipeline `node` blocks on those agents due to
> incorrect permissions checks in Pipeline: Nodes and Processes plugin.
CVE-2018-1000015
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic