Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140216152556.GA3974@eldamar.local>
Date: Sun, 16 Feb 2014 16:25:56 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Possible CVE Requests: several issues fixed in Jenkins (Advisory
 2014-02-14)

Hi

Jenkins Advisory from 2014-02-14[1] mentions several security fixes,
where for SECURITY-76 and SECURITY-88 CVE-2013-5573 was assigned.

 [1] https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

Do some of the following need also a CVE assignment?

----cut---------cut---------cut---------cut---------cut---------cut-----
SECURITY-105
| In some places, Jenkins XML API uses XStream to deserialize arbitrary
| content, which is affected by CVE-2013-7285 reported against XStream.
| This allows malicious users of Jenkins with a limited set of permissions
| to execute arbitrary code inside Jenkins master.

https://github.com/jenkinsci/jenkins/commit/d030fbbaeeb5ee8980b5680b26217930834387f4

SECURITY-76 & SECURITY-88 / CVE-2013-5573
| Restrictions of HTML tags for user-editable contents are too lax. This
| allows malicious users of Jenkins to trick other unsuspecting users into
| providing sensitive information.

https://github.com/jenkinsci/jenkins/commit/7541e83cc9812afc2b464f0a3254a2453da53f4c
https://github.com/jenkinsci/jenkins/commit/535c1115bbf07f8a57d509f2d00598d6e21870d4

SECURITY-109
| Plugging a hole in the earlier fix to SECURITY-55. Under some
| circimstances, a malicious user of Jenkins can configure job X to
| trigger another job Y that the user has no access to.

https://github.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e

SECURITY-108
| CLI job creation had a directory traversal vulnerability. This allows a
| malicious user of Jenkins with a limited set of permissions to overwrite
| files in the Jenkins master and escalate privileges.

https://github.com/jenkinsci/jenkins/commit/ad38d8480f20ce3cbf8fec3e2003bc83efda4f7d

SECURITY-106
| The embedded Winstone servlet container is susceptive to session
| hijacking attack.

https://github.com/jenkinsci/jenkins/commit/29351af4bd01f61715418916fc12c52be46bd9b0
(issue in jenkins-winstone?)

SECURITY-93
| The password input control in the password parameter definition in the
| Jenkins UI was serving the actual value of the password in HTML, not an
| encrypted one. If a sensitive value is set as the default value of such
| a parameter definition, it can be exposed to unintended audience.

https://github.com/jenkinsci/jenkins/commit/bf539198564a1108b7b71a973bf7de963a6213ef

SECURITY-89
| Deleting the user was not invalidating the API token, allowing users to
| access Jenkins when they shouldn't be allowed to do so.

https://github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3

SECURITY-80
| Jenkins UI was vulnerable to click jacking attacks.

https://github.com/jenkinsci/jenkins/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6

SECURITY-79
| "Jenkins' own user database" was revealing the presence/absence of users
| when login attempts fail.

https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec

SECURITY-77
| Jenkins had a cross-site scripting vulnerability in one of its cookies.
| If Jenkins is deployed in an environment that allows an attacker to
| override Jenkins cookies in victim's browser, this vulnerability can be
| exploited.

https://github.com/jenkinsci/jenkins/commit/a0b00508eeb74d7033dc4100eb382df4e8fa72e7

SECURITY-75
| Jenkins was vulnerable to session fixation attack. If Jenkins is
| deployed in an environment that allows an attacker to override Jenkins
| cookies in victim's browser, this vulnerability can be exploited.

https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a

SECURITY-74
| Stored XSS vulnerability. A malicious user of Jenkins with a certain set
| of permissions can cause Jenkins to store arbitrary HTML fragment.

https://github.com/jenkinsci/jenkins/commit/5d57c855f3147bfc5e7fda9252317b428a700014

SECURITY-73
| Some of the system diagnostic functionalities were checking a lesser
| permission than it should have. In a very limited circumstances, this
| can cause an attacker to gain information that he shouldn't have
| access to.

https://github.com/jenkinsci/jenkins/commit/0530a6645aac10fec005614211660e98db44b5eb
----cut---------cut---------cut---------cut---------cut---------cut-----

Do some of these issue need a CVE assigned?

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.