oss-sec mailing list archives

Re: Multiple vulnerabilities in Jenkins

From: Daniel Beck <ml () beckweb net>
Date: Wed, 28 Feb 2018 23:18:37 +0100

On 14. Feb 2018, at 16:35, Daniel Beck <ml () beckweb net> wrote:

SECURITY-506
The form validation for the proxy configuration form did not check the 
permission of the user accessing it, allowing anyone with Overall/Read 
access to Jenkins to cause Jenkins to send a GET request to a specified 
URL, optionally with a specified proxy configuration.

If that request’s HTTP response code indicates success, the form validation 
is returning a generic success message, otherwise the HTTP status code is 
returned. It was not possible to reuse an existing proxy configuration to 
send those requests; that configuration had to be provided by the attacker.


CVE-2018-1000102

SECURITY-717
Jenkins did not take into account case-insensitive file systems when 
preventing access to plugin resource files that should not be accessible. 
This allowed users with Overall/Read permission to download plugin resource 
files in META-INF and WEB-INF directories, such as the plugins' JAR files, 
which could contain hardcoded secrets.


CVE-2018-1000103

Current thread:

Re: Multiple vulnerabilities in Jenkins Daniel Beck (Jan 25)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins Daniel Beck (Feb 14)
  - Re: Multiple vulnerabilities in Jenkins Daniel Beck (Feb 28)