oss-sec mailing list archives
CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page
From: Murray McAllister <mmcallis () redhat com>
Date: Fri, 17 Jan 2014 13:02:03 +1100
Hi all,We recently received a report from Teguh P. Alko about an issue affecting Jenkins. Input was not sanitized before adding it to the page. The fix is public here since the start of 2013:
https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0eThis could be used for copy and paste attacks, with the end result being similar to that of cross-site scripting attacks. It has been assigned CVE-2013-6488.
Please credit at least "Teguh P. Alko" in any advisories.I am Cc'ing Reed to see if he knows who the other independent reporter is (from that Jira "SECURITY-46" bug in the above commit; as I understand it those bugs are not made public but I could be wrong).
Cheers, -- Murray McAllister / Red Hat Security Response Team
Current thread:
- CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page Murray McAllister (Jan 16)
- Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page Reed Loden (Jan 16)
- Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page Kurt Seifried (Jan 17)
- Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page Murray McAllister (Jan 19)
- Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page Kurt Seifried (Jan 20)
- Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page Kurt Seifried (Jan 20)
- Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page Reed Loden (Jan 16)