oss-sec mailing list archives
Re: Multiple vulnerabilities in Jenkins
From: Daniel Beck <ml () beckweb net>
Date: Thu, 25 Jan 2018 09:59:31 +0100
On 14. Dec 2017, at 04:10, Daniel Beck <ml () beckweb net> wrote: SECURITY-667 A race condition during Jenkins startup could result in the wrong order of execution of commands during initialization. On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases (we estimate less than 20% of new instances) result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. Affected instances need to be configured to restrict access.
CVE-2017-1000503
Additionally, there's a very short window of time after startup during which Jenkins may no longer show the "Please wait while Jenkins is getting ready to work" message, but Cross-Site Request Forgery (CSRF) protection may not yet be effective. As of publication of this advisory, we've been unable to confirm this can actually be exploited, but generally recommend that users upgrade their instances.
CVE-2017-1000504
Current thread:
- Re: Multiple vulnerabilities in Jenkins Daniel Beck (Jan 25)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins Daniel Beck (Feb 14)
- Re: Multiple vulnerabilities in Jenkins Daniel Beck (Feb 28)