oss-sec mailing list archives
Re: Browser-mediated attacks on WebDriver servers
From: Gabriel Corona <gabriel.corona () enst-bretagne fr>
Date: Thu, 14 Apr 2022 21:20:08 +0200
Hi, > * Selenium server/Grid CSRF vulnerability; > * Selenium server/Grid DNS-rebinding vulnerability.I have tried requesting CVE IDs for those three times (first request was done in 2021-06-12) and failed so far.
All three attempts were rejected for the following reasons: > The Jenkins CNA is responsible for assigning CVE IDs to > vulnerabilities in this product. Please contact the Jenkins CNA > to get a CVE ID assigned to this issue.However, as a far as I understand this not the case. Here is the scope of the Jenkins CNA [1]:
> The Jenkins project is a CVE Numbers Authority (CNA) for Jenkins > and Jenkins plugins published by the Jenkins project (listed > on plugins.jenkins.io and/or hosted in the jenkinsci > GitHub organization). This means that the Jenkins project assigns > CVE IDs for vulnerabilities in these components. A Selenium plugin [2,3] in indeed included in the list of Jenkins plugins. This plugin includes [4] selenium-standalone-server but is different from selenium-standalone-server [5] itself. I asked the Jenkins CNA: > I have been redirected to you by MITRE concerning the allocation of > CVE IDs for several vulnerabilities in Selenium standalone server / > Selenium Grid [...] > > I believe this is a mistake as I do not see any clue indicating > that Jenkins CNA might be responsible for assigning CVE IDs > to vulnerabilities in this product. Could you confirm me that this > is an error by MITRE ? Here is the answer from the Jenkins CNA: > You are correct: Selenium is not in the scope of the Jenkins CNA. > That said, we assigned CVE IDs in the past for Jenkins plugins > integrating Jenkins and Selenium in some way (CVE-2021-21672, > CVE-2020-2196). Those are in our scope. Perhaps this is the source > of the confusion? In my third CVE request attempt, I explicitly stated: > [Additional Information] > This was previously reported and denied with the following reason: > > > The Jenkins CNA is responsible for assigning CVE IDs to > > vulnerabilities in this product. Please contact the Jenkins CNA to > > get a CVE ID assigned to this issue. > > I asked Jenkins CNA about this and they denied being responsible > for Selenium itself : > > > You are correct: Selenium is not in the scope of the Jenkins CNA. > > That said, we assigned CVE IDs in the past for Jenkins plugins > > integrating Jenkins and Selenium in some way (CVE-2021-21672, > > CVE-2020-2196). Those are in our scope. Perhaps this is the > > source of the confusion? However, the request is still rejected for the same reason. Any idea how to proceed from there? [1] https://www.jenkins.io/security/cna/ [2] https://plugins.jenkins.io/selenium/ [3] https://github.com/jenkinsci/selenium-plugin [4] https://github.com/jenkinsci/selenium-plugin/blob/master/pom.xml[5] https://github.com/SeleniumHQ/selenium/tree/trunk/java/src/org/openqa/selenium/grid
Gabriel
Current thread:
- Re: Browser-mediated attacks on WebDriver servers Gabriel Corona (Apr 14)
- <Possible follow-ups>
- Re: Browser-mediated attacks on WebDriver servers Gabriel Corona (Apr 16)