mailing list archives
Re: CVE request: Jenkins
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 27 Dec 2012 21:10:34 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Adding Kohsuke Kawaguchi to the CC since he seems to be a Jenkins
security related person. Also if you need CVE's for Jenkins (or any
other major Open Source project your participate in, this goes for
everyone) in future contact me and they can be assigned prior to
advisory release which makes life easier for everyone.
On 12/27/2012 01:31 PM, Moritz Muehlenhoff wrote:
Hi, these Jenkins security issues don't seem to have CVEs assigned
I can't provide links to upstream fixes, but three CVE IDs seem
needed (HTTP response splitting, open redirect and XSS)
Yup they appear to be new (the last batch I did is acknowledged in the
earlier security advisory from Jenkins).
The first vulnerability is commonly known as HTTP response splitting
vulnerability, which can act as a cross-site scripting vulnerability.
This allows an anonymous attacker to inject malicious HTMLs to pages
served by Jenkins. This in turn allows an attacker to escalate his
privileges by hijacking sessions of other users. To mount this attack,
the attacker needs to know the exact URL of your Jenkins installation.
This vulnerability affects those who run Jenkins on its built-in
servlet container (this includes all the native packages.)
Please use CVE-2012-6072 for this issue.
The second vulnerability is so-called open redirect vulnerability.
This allows an anonymous attacker to create an URL that looks as if
it's pointing to Jenkins, yet it actually lands on the site that the
attacker controls. This can be therefore used as a basis for phishing.
Please use CVE-2012-6073 for this issue.
The third vulnerability is a cross-site scripting vulnerability that
allows an attacker with some degree of write access in Jenkins to
Please use CVE-2012-6074 for this issue.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
-----END PGP SIGNATURE-----