[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Multiple vulnerabilities in Jenkins
From: Daniel Beck <ml () beckweb ! net>
Date: 2019-01-23 10:21:11
Message-ID: B09750A0-4E8C-464B-951D-0267A6174CFE () beckweb ! net
[Download RAW message or body]
> On 10. Oct 2018, at 17:11, Daniel Beck <ml@beckweb.net> wrote:
>
> SECURITY-867
> A path traversal vulnerability in Stapler allowed viewing routable objects
> with views defined on any type. This could be used to access internal data
> of routable objects, e.g. by showing their string representation (#toString).
CVE-2018-1000997
> SECURITY-1074
> Users with Job/Configure permission could specify a relative path escaping
> the base directory in the file name portion of a file parameter definition.
> This path would be used to archive the uploaded file on the Jenkins master,
> resulting in an arbitrary file write vulnerability.
>
> File parameters that escape the base directory are no longer accepted and
> the build will fail.
CVE-2018-1000406
> SECURITY-1129
> The wrapper query parameter for the XML variant of the Jenkins remote API
> did not validate the specified tag name. This resulted in a reflected cross-
> site scripting vulnerability.
>
> Only legal XML tag names are now allowed for the wrapper query parameter.
CVE-2018-1000407
> SECURITY-1128
> By accessing a specific crafted URL on Jenkins instances using Jenkins' own
> user database, users without Overall/Read access could create ephemeral
> user records.
>
> This behavior could be abused to create a large number of ephemeral user
> records in memory.
>
> Accessing this URL now no longer results in a user record getting created.
CVE-2018-1000408
> SECURITY-1158
> When signing up for a new user account on instances using Jenkins' own user
> database, Jenkins did not invalidate the existing session and create a new
> one. This allowed session fixation.
>
> Jenkins now invalidates the existing session and creates a new one when
> logging in after user signup.
CVE-2018-1000409
> SECURITY-765
> When Jenkins fails to process form submissions due to an internal error,
> the error message shown to the user and written to the log typically
> includes the serialized JSON form submission. Secrets, such as submitted
> passwords, might be included with the JSON object, and shown or written to
> disk in plain text.
>
> Jenkins now masks values in these error messages from view if they were
> shown on the UI as password form fields.
CVE-2018-1000410
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic