Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: Jenkins
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 27 Dec 2012 21:10:34 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adding Kohsuke Kawaguchi to the CC since he seems to be a Jenkins
security related person. Also if you need CVE's for Jenkins (or any
other major Open Source project your participate in, this goes for
everyone) in future contact me and they can be assigned prior to
advisory release which makes life easier for everyone.

On 12/27/2012 01:31 PM, Moritz Muehlenhoff wrote:
Hi, these Jenkins security issues don't seem to have CVEs assigned
so far: 
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20


I can't provide links to upstream fixes, but three CVE IDs seem 
needed (HTTP response splitting, open redirect and XSS)

Cheers, Moritz


Yup they appear to be new (the last batch I did is acknowledged in the
earlier security advisory from Jenkins).

From:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20


The first vulnerability is commonly known as HTTP response splitting
vulnerability, which can act as a cross-site scripting vulnerability.
This allows an anonymous attacker to inject malicious HTMLs to pages
served by Jenkins. This in turn allows an attacker to escalate his
privileges by hijacking sessions of other users. To mount this attack,
the attacker needs to know the exact URL of your Jenkins installation.
This vulnerability affects those who run Jenkins on its built-in
servlet container (this includes all the native packages.)

Please use CVE-2012-6072 for this issue.

The second vulnerability is so-called open redirect vulnerability.
This allows an anonymous attacker to create an URL that looks as if
it's pointing to Jenkins, yet it actually lands on the site that the
attacker controls. This can be therefore used as a basis for phishing.

Please use CVE-2012-6073 for this issue.

The third vulnerability is a cross-site scripting vulnerability that
allows an attacker with some degree of write access in Jenkins to
embed malicious JavaScript into pages generated by Jenkins.

Please use CVE-2012-6074 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ3Ru6AAoJEBYNRVNeJnmTgG0QALXvW0uvx4Iwl8eH4qPaWXms
b9hvHXV+Gu4Ajp60kyXrFZ/YC3CXgXXvAMPzRf1MRwoqz/fIrUvAjAhQMLDkhWRJ
ZGbdzrIr7Hb44+/e7hpLc9eFWpB+otSNhN5bTK+x3pKinHgSpGQPIHbQ5haB0NIS
3J5gDbSeRtYbId4IYfbF6ZmaMqUDzpTBT+gStV+0dXGY3dWjtRDG9G9nAAWiIn8x
7Z+xriRAYo5M03fuKowCQioXNsS790OtIM8tK0E4ZU4w5FyFsWt1o9361weOuxJx
kYd8kxF5enAOEGCunGAGgUWo5ze+92TSPJJinSmBv8zNxi9gBf85FurWNh9ANS7T
EHk2SiVdqjP55y4wDlMgSZ59dgHkgok6A3Z4xNIe34ygmPy6OsGHECf3HswEajMW
9fI3+9O7vJF5/hA+iF1Z5LJjNT0i5DEugTbkejnf2EzrfGkqs2GFWY0BzygAvf8H
PNOkXsgYdMZkaK6EWYOeW2unENQ1+/eT+tpqwu2FvLkCHFDcBwXY1WpXztUnfilb
1C3HcKvF3q/yFuy8uaV0K/+R9iUJJRKVXw8mmuhzLt8vmoNWrec9BVxbKRlTgh4s
29IUAvrn6NOSnEjj+aP19QwDE9oUVAh0S+tj65C5V2Ft94EawlvYXHZK6cAeuXcw
H1n2tqwhW2AzLggF8P4O
=+kWZ
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]