mailing list archives
Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 17 Jan 2014 23:41:31 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 01/16/2014 11:39 PM, Reed Loden wrote:
On Fri, 17 Jan 2014 13:02:03 +1100 Murray McAllister
<mmcallis () redhat com> wrote:
We recently received a report from Teguh P. Alko about an issue
affecting Jenkins. Input was not sanitized before adding it to
the page. The fix is public here since the start of 2013:
is the security advisory that includes the above fix.
This could be used for copy and paste attacks, with the end
result being similar to that of cross-site scripting attacks. It
has been assigned CVE-2013-6488.
Fairly sure that's just a dupe of CVE-2013-0328. See
Please credit at least "Teguh P. Alko" in any advisories.
Why? He/she's not the original reporter.
I am Cc'ing Reed to see if he knows who the other independent
reporter is (from that Jira "SECURITY-46" bug in the above
commit; as I understand it those bugs are not made public but I
could be wrong).
Jenkins's SECURITY-46 maps to
https://bugzilla.mozilla.org/show_bug.cgi?id=819251, which I just
opened up. The reporter is "Atulkumar Hariba Shedage".
Hope that helps.
The problem is we can't easily map things against a security advisory
because there is minimal details. There is no mention of which issue
if which and so on. If you can include the ISSUE-NN number in
advisories in future that will prevent such problems, thanks!
If this is indeed a duplicate than yes we need to REJECT CVE-2013-6488
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----