oss-sec mailing list archives

Re: Multiple vulnerabilities in Jenkins plugins

From: Daniel Beck <ml () beckweb net>
Date: Sat, 18 Nov 2017 08:23:48 +0100

On 11. Oct 2017, at 18:25, Daniel Beck <ml () beckweb net> wrote:

SECURITY-557
Maven Plugin bundled a version of the commons-httpclient library with the 
vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, 
making it susceptible to man-in-the-middle attacks.


CVE-2017-1000397

SECURITY-597
Swarm Plugin Client bundled a version of the commons-httpclient library 
with the vulnerability CVE-2012-6153 that incorrectly verified SSL 
certificates, making it susceptible to man-in-the-middle attacks.


CVE-2017-1000402

SECURITY-623
Speaks! Plugin allows users with Job/Configure permission to run arbitrary 
Groovy code inside the Jenkins JVM, effectively elevating privileges to 
Overall/Run Scripts.


CVE-2017-1000403

Current thread:

Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 11)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 17)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 23)
  - Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 17)