oss-sec mailing list archives
Re: Multiple vulnerabilities in Jenkins
From: Daniel Beck <ml () beckweb net>
Date: Mon, 10 Dec 2018 01:52:09 +0100
On 15. Aug 2018, at 17:10, Daniel Beck <ml () beckweb net> wrote: SECURITY-637 Jenkins allowed deserialization of URL objects via Remoting (agent communication) and XStream. This could in rare cases be used by attackers to have Jenkins look up specified hosts' DNS records.
CVE-2018-1999042
SECURITY-672 When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record. This behavior could be abused to create a large number of ephemeral user records in memory.
CVE-2018-1999043
SECURITY-790 The form validation for cron expressions (e.g. "Poll SCM", "Build periodically") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely.
CVE-2018-1999044
SECURITY-996 The "Remember me" feature can be disabled in the Jenkins security configuration. This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in.
CVE-2018-1999045
SECURITY-1071 Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks.
CVE-2018-1999046
SECURITY-1076 Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center ("Restart Jenkins when installation is complete and no jobs are running") due to a lack of permission checks.
CVE-2018-1999047
Current thread:
- Multiple vulnerabilities in Jenkins Daniel Beck (Oct 10)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins Daniel Beck (Dec 05)
- Re: Multiple vulnerabilities in Jenkins Daniel Beck (Dec 09)
- Re: Multiple vulnerabilities in Jenkins Daniel Beck (Dec 09)