[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Multiple vulnerabilities in Jenkins
From: Daniel Beck <ml () beckweb ! net>
Date: 2018-07-18 16:32:10
Message-ID: D2FED7A8-F45F-403A-B474-A1B42B1A815F () beckweb ! net
[Download RAW message or body]
> On 18. Jul 2018, at 16:38, Daniel Beck <ml@beckweb.net> wrote:
>
> SECURITY-897
> Unauthenticated users could provide maliciously crafted login credentials
> that cause Jenkins to move the config.xml file from the Jenkins home
> directory. This configuration file contains basic configuration of
> Jenkins, including the selected security realm and authorization strategy.
> If Jenkins is started without this file present, it will revert to the
> legacy defaults of granting administrator access to anonymous users.
CVE-2018-1999001
> SECURITY-914
> An arbitrary file read vulnerability in the Stapler web framework used by
> Jenkins allowed unauthenticated users to send crafted HTTP requests
> returning the contents of any file on the Jenkins master file system that
> the Jenkins master process has access to.
CVE-2018-1999002
> SECURITY-891
> The URLs handling cancellation of queued builds did not perform a
> permission check, allowing users with Overall/Read permission to cancel
> queued builds.
CVE-2018-1999003
> SECURITY-892
> The URL that initiates agent launches on the Jenkins master did not perform
> a permission check, allowing users with Overall/Read permission to initiate
> agent launches.
CVE-2018-1999004
> SECURITY-944
> The build timeline widget shown on URLs like /view/…/builds did not
> properly escape display names of items. This resulted in a cross-site
> scripting vulnerability exploitable by users able to control item display
> names.
CVE-2018-1999005
> SECURITY-925
> Files indicating when a plugin JPI file was last extracted into a
> subdirectory of plugins/ in the Jenkins home directory was accessible via
> HTTP by users with Overall/Read permission. This allowed unauthorized users
> to determine the likely install date of a given plugin.
CVE-2018-1999006
> SECURITY-390
> Stapler is the web framework used by Jenkins to route HTTP requests. When
> its debug mode is enabled, HTTP 404 error pages display diagnostic
> information. Those error pages did not escape parts of URLs they displayed,
> in rare cases resulting in a cross-site scripting vulnerability.
CVE-2018-1999007
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic