Re: Multiple vulnerabilities in Jenkins

[Daniel Beck <ml () beckweb net>]

> On 15. Aug 2018, at 17:10, Daniel Beck <ml () beckweb net> wrote:
>
>
> SECURITY-637
> Jenkins allowed deserialization of URL objects via Remoting (agent 
> communication) and XStream.
>
> This could in rare cases be used by attackers to have Jenkins look up 
> specified hosts' DNS records.

CVE-2018-1999042

> SECURITY-672
> When attempting to authenticate using API token, an ephemeral user record 
> was created to validate the token in case an external security realm was 
> used, and the user record in Jenkins not previously saved, as (legacy) API 
> tokens could exist without a persisted user record.
>
> This behavior could be abused to create a large number of ephemeral user 
> records in memory.

CVE-2018-1999043

> SECURITY-790
> The form validation for cron expressions (e.g. "Poll SCM", "Build 
> periodically") could enter infinite loops when cron expressions only 
> matching certain rare dates were entered, blocking request handling 
> threads indefinitely.

CVE-2018-1999044

> SECURITY-996
> The "Remember me" feature can be disabled in the Jenkins security 
> configuration.
>
> This did not disable the processing of previously set "Remember me" 
> cookies, so they still allowed users to be logged in.

CVE-2018-1999045

> SECURITY-1071
> Users with Overall/Read permission were able to access the URL serving 
> agent logs on the UI due to a lack of permission checks.

CVE-2018-1999046

> SECURITY-1076
> Users with Overall/Read permission were able to access the URL used to 
> cancel scheduled restart jobs initiated via the update center ("Restart 
> Jenkins when installation is complete and no jobs are running") due to a 
> lack of permission checks.

CVE-2018-1999047