oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: jenkins

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 23 Nov 2011 13:49:11 -0700
On 11/23/2011 07:37 AM, Jamie Strandboge wrote:

XSS in jenkins[1]:

"Luca De Fulgentis discovered a cross-site scripting vulnerability in
Jenkins that allows an attacker to embed malicious JavaScript into pages
generated by Jenkins. The attacker does not need a valid user account in
order to exploit this vulnerability."

This is part of the "winstone" servlet container that Jenkins runs in
when running in standalone mode.

Patch:
https://github.com/jenkinsci/winstone/commit/410ed3001d51c689cf59085b7417466caa2ded7b.patch


[1]http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2011-11-08.cb


Please use CVE-2011-4344 for this issue.

-- 

-Kurt Seifried / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: