mailing list archives
Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14)
From: cve-assign () mitre org
Date: Thu, 20 Feb 2014 22:39:46 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
| In some places, Jenkins XML API uses XStream to deserialize arbitrary
| content, which is affected by CVE-2013-7285 reported against XStream.
| This allows malicious users of Jenkins with a limited set of permissions
| to execute arbitrary code inside Jenkins master.
MITRE may be making a CVE assignment for SECURITY-105, but it won't be
immediate because we need to discuss that one internally within our
team more. This is related to:
not existing yet.
where for SECURITY-76 and SECURITY-88 CVE-2013-5573 was assigned
SECURITY-76 & SECURITY-88 / CVE-2013-5573
| Restrictions of HTML tags for user-editable contents are too lax. This
| allows malicious users of Jenkins to trick other unsuspecting users into
| providing sensitive information.
The vendor says "SECURITY-76 & SECURITY-88 / CVE-2013-5573" on that
"Jenkins Security Advisory 2014-02-14" page, but the originally
intended scope of CVE-2013-5573 is only the issue involving FORM
elements (aka SECURITY-88), not the issue involving IFRAME elements
(aka SECURITY-76). This may be just a parsing difference. We believe
SECURITY-76 & ( SECURITY-88 / CVE-2013-5573 )
( SECURITY-76 & SECURITY-88 ) / CVE-2013-5573
The commit that you didn't list is:
The IFRAME issue wasn't part of the original disclosures such as
http://www.exploit-db.com/exploits/30408/ so we normally can't change
the scope of CVE-2013-5573 to include it later.
https://issues.jenkins-ci.org/browse/SECURITY-88 apparently are not
public, and could possibly have clarifying information (e.g., if there
were a later finding that only FORM is exploitable, and IFRAME isn't
actually exploitable). Unless that information becomes available and
suggests a different course of action, we will proceed to assign a new
CVE-2013-#### ID for SECURITY-76 soon.
| Plugging a hole in the earlier fix to SECURITY-55. Under some
| circumstances, a malicious user of Jenkins can configure job X to
| trigger another job Y that the user has no access to.
| CLI job creation had a directory traversal vulnerability. This allows a
| malicious user of Jenkins with a limited set of permissions to overwrite
| files in the Jenkins master and escalate privileges.
| The embedded Winstone servlet container is susceptible to session
| hijacking attack.
(issue in jenkins-winstone?)
| The password input control in the password parameter definition in the
| Jenkins UI was serving the actual value of the password in HTML, not an
| encrypted one. If a sensitive value is set as the default value of such
| a parameter definition, it can be exposed to unintended audience.
| Deleting the user was not invalidating the API token, allowing users to
| access Jenkins when they shouldn't be allowed to do so.
| Jenkins UI was vulnerable to click jacking attacks.
| "Jenkins' own user database" was revealing the presence/absence of users
| when login attempts fail.
| Jenkins had a cross-site scripting vulnerability in one of its cookies.
| If Jenkins is deployed in an environment that allows an attacker to
| override Jenkins cookies in victim's browser, this vulnerability can be
Use CVE-2014-2065. This is an input-validation issue but perhaps
shouldn't be categorized as a standard XSS issue because of the
unusual threat model.
| Jenkins was vulnerable to session fixation attack. If Jenkins is
| deployed in an environment that allows an attacker to override Jenkins
| cookies in victim's browser, this vulnerability can be exploited.
Use CVE-2014-2066. Again, the unusual threat model might limit the practical
relevance of this.
| Stored XSS vulnerability. A malicious user of Jenkins with a certain set
| of permissions can cause Jenkins to store arbitrary HTML fragment.
| Some of the system diagnostic functionalities were checking a lesser
| permission than it should have. In a very limited circumstances, this
| can cause an attacker to gain information that he shouldn't have
| access to.
CVE assignment team, MITRE CVE Numbering Authority
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
-----END PGP SIGNATURE-----