'Re: [oss-security] Multiple vulnerabilities in Jenkins'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Multiple vulnerabilities in Jenkins
From:       Daniel Beck <ml () beckweb ! net>
Date:       2019-01-23 10:21:11
Message-ID: B09750A0-4E8C-464B-951D-0267A6174CFE () beckweb ! net
[Download RAW message or body]



> On 10. Oct 2018, at 17:11, Daniel Beck <ml@beckweb.net> wrote:
> 
> SECURITY-867
> A path traversal vulnerability in Stapler allowed viewing routable objects 
> with views defined on any type. This could be used to access internal data 
> of routable objects, e.g. by showing their string representation (#toString).

CVE-2018-1000997

> SECURITY-1074
> Users with Job/Configure permission could specify a relative path escaping 
> the base directory in the file name portion of a file parameter definition. 
> This path would be used to archive the uploaded file on the Jenkins master, 
> resulting in an arbitrary file write vulnerability.
> 
> File parameters that escape the base directory are no longer accepted and 
> the build will fail.

CVE-2018-1000406

> SECURITY-1129
> The wrapper query parameter for the XML variant of the Jenkins remote API 
> did not validate the specified tag name. This resulted in a reflected cross-
> site scripting vulnerability.
> 
> Only legal XML tag names are now allowed for the wrapper query parameter.

CVE-2018-1000407

> SECURITY-1128
> By accessing a specific crafted URL on Jenkins instances using Jenkins' own 
> user database, users without Overall/Read access could create ephemeral 
> user records.
> 
> This behavior could be abused to create a large number of ephemeral user 
> records in memory.
> 
> Accessing this URL now no longer results in a user record getting created.

CVE-2018-1000408

> SECURITY-1158
> When signing up for a new user account on instances using Jenkins' own user 
> database, Jenkins did not invalidate the existing session and create a new 
> one. This allowed session fixation.
> 
> Jenkins now invalidates the existing session and creates a new one when 
> logging in after user signup.

CVE-2018-1000409

> SECURITY-765
> When Jenkins fails to process form submissions due to an internal error, 
> the error message shown to the user and written to the log typically 
> includes the serialized JSON form submission. Secrets, such as submitted 
> passwords, might be included with the JSON object, and shown or written to 
> disk in plain text.
> 
> Jenkins now masks values in these error messages from view if they were 
> shown on the UI as password form fields.

CVE-2018-1000410

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic