[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Multiple vulnerabilities in Jenkins
From:       Daniel Beck <ml () beckweb ! net>
Date:       2018-07-18 16:32:10
Message-ID: D2FED7A8-F45F-403A-B474-A1B42B1A815F () beckweb ! net
[Download RAW message or body]


> On 18. Jul 2018, at 16:38, Daniel Beck <ml@beckweb.net> wrote:
> 
> SECURITY-897
> Unauthenticated users could provide maliciously crafted login credentials 
> that cause Jenkins to move the config.xml file from the Jenkins home 
> directory. This configuration file contains basic configuration of 
> Jenkins, including the selected security realm and authorization strategy. 
> If Jenkins is started without this file present, it will revert to the 
> legacy defaults of granting administrator access to anonymous users.

CVE-2018-1999001

> SECURITY-914
> An arbitrary file read vulnerability in the Stapler web framework used by 
> Jenkins allowed unauthenticated users to send crafted HTTP requests 
> returning the contents of any file on the Jenkins master file system that 
> the Jenkins master process has access to.

CVE-2018-1999002

> SECURITY-891
> The URLs handling cancellation of queued builds did not perform a 
> permission check, allowing users with Overall/Read permission to cancel 
> queued builds.

CVE-2018-1999003

> SECURITY-892
> The URL that initiates agent launches on the Jenkins master did not perform 
> a permission check, allowing users with Overall/Read permission to initiate 
> agent launches.

CVE-2018-1999004

> SECURITY-944
> The build timeline widget shown on URLs like /view/…/builds did not 
> properly escape display names of items. This resulted in a cross-site 
> scripting vulnerability exploitable by users able to control item display 
> names.

CVE-2018-1999005

> SECURITY-925
> Files indicating when a plugin JPI file was last extracted into a 
> subdirectory of plugins/ in the Jenkins home directory was accessible via 
> HTTP by users with Overall/Read permission. This allowed unauthorized users 
> to determine the likely install date of a given plugin.

CVE-2018-1999006

> SECURITY-390
> Stapler is the web framework used by Jenkins to route HTTP requests. When 
> its debug mode is enabled, HTTP 404 error pages display diagnostic 
> information. Those error pages did not escape parts of URLs they displayed, 
> in rare cases resulting in a cross-site scripting vulnerability.

CVE-2018-1999007

[prev in list] [next in list] [prev in thread] [next in thread]