oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple vulnerabilities in Jenkins

From: Daniel Beck <ml () beckweb net>
Date: Wed, 23 Jan 2019 11:21:11 +0100



On 10. Oct 2018, at 17:11, Daniel Beck <ml () beckweb net> wrote:

SECURITY-867
A path traversal vulnerability in Stapler allowed viewing routable objects 
with views defined on any type. This could be used to access internal data 
of routable objects, e.g. by showing their string representation (#toString).


CVE-2018-1000997


SECURITY-1074
Users with Job/Configure permission could specify a relative path escaping 
the base directory in the file name portion of a file parameter definition. 
This path would be used to archive the uploaded file on the Jenkins master, 
resulting in an arbitrary file write vulnerability.

File parameters that escape the base directory are no longer accepted and 
the build will fail.


CVE-2018-1000406


SECURITY-1129
The wrapper query parameter for the XML variant of the Jenkins remote API 
did not validate the specified tag name. This resulted in a reflected cross-
site scripting vulnerability.

Only legal XML tag names are now allowed for the wrapper query parameter.


CVE-2018-1000407


SECURITY-1128
By accessing a specific crafted URL on Jenkins instances using Jenkins' own 
user database, users without Overall/Read access could create ephemeral 
user records.

This behavior could be abused to create a large number of ephemeral user 
records in memory.

Accessing this URL now no longer results in a user record getting created.


CVE-2018-1000408


SECURITY-1158
When signing up for a new user account on instances using Jenkins' own user 
database, Jenkins did not invalidate the existing session and create a new 
one. This allowed session fixation.

Jenkins now invalidates the existing session and creates a new one when 
logging in after user signup.


CVE-2018-1000409


SECURITY-765
When Jenkins fails to process form submissions due to an internal error, 
the error message shown to the user and written to the log typically 
includes the serialized JSON form submission. Secrets, such as submitted 
passwords, might be included with the JSON object, and shown or written to 
disk in plain text.

Jenkins now masks values in these error messages from view if they were 
shown on the UI as password form fields.


CVE-2018-1000410
Previous By Date Next
Previous By Thread Next

Current thread: