oss-sec mailing list archives
Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Tue, 21 May 2019 14:57:46 +0200
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * Credentials 2.1.19 * PAM Authentication 1.5.1 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2019-05-21/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-1316 / CVE-2019-10319 A missing permission check in PAM Authentication Plugin allowed users with Overall/Read permission to invoke a form validation method to obtain limited information about the file /etc/shadow on systems with that file present, as well as the system user the Jenkins process is running as. SECURITY-1322 / CVE-2019-10320 Credentials Plugin allowed the creation of Certificate credentials from a PKCS#12 file on the Jenkins master. Users with permission to create or update credentials could use the associated form validation to confirm the existence of files with an attacker-specified path. Additionally, they could create credentials from any valid PKCS#12 file on the Jenkins master. With the ability to configure jobs to access these credentials, they could obtain the certificate content.
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 03)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 13)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 17)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 30)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 21)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 31)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 11)