Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 27 Dec 2012 21:10:34 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Moritz Muehlenhoff <jmm@...ian.org>, kk@...suke.org
Subject: Re: CVE request: Jenkins

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adding Kohsuke Kawaguchi to the CC since he seems to be a Jenkins
security related person. Also if you need CVE's for Jenkins (or any
other major Open Source project your participate in, this goes for
everyone) in future contact me and they can be assigned prior to
advisory release which makes life easier for everyone.

On 12/27/2012 01:31 PM, Moritz Muehlenhoff wrote:
> Hi, these Jenkins security issues don't seem to have CVEs assigned
> so far: 
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20
> 
> 
> I can't provide links to upstream fixes, but three CVE IDs seem 
> needed (HTTP response splitting, open redirect and XSS)
> 
> Cheers, Moritz
> 

Yup they appear to be new (the last batch I did is acknowledged in the
earlier security advisory from Jenkins).

From:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20


The first vulnerability is commonly known as HTTP response splitting
vulnerability, which can act as a cross-site scripting vulnerability.
This allows an anonymous attacker to inject malicious HTMLs to pages
served by Jenkins. This in turn allows an attacker to escalate his
privileges by hijacking sessions of other users. To mount this attack,
the attacker needs to know the exact URL of your Jenkins installation.
This vulnerability affects those who run Jenkins on its built-in
servlet container (this includes all the native packages.)

Please use CVE-2012-6072 for this issue.

The second vulnerability is so-called open redirect vulnerability.
This allows an anonymous attacker to create an URL that looks as if
it's pointing to Jenkins, yet it actually lands on the site that the
attacker controls. This can be therefore used as a basis for phishing.

Please use CVE-2012-6073 for this issue.

The third vulnerability is a cross-site scripting vulnerability that
allows an attacker with some degree of write access in Jenkins to
embed malicious JavaScript into pages generated by Jenkins.

Please use CVE-2012-6074 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ3Ru6AAoJEBYNRVNeJnmTgG0QALXvW0uvx4Iwl8eH4qPaWXms
b9hvHXV+Gu4Ajp60kyXrFZ/YC3CXgXXvAMPzRf1MRwoqz/fIrUvAjAhQMLDkhWRJ
ZGbdzrIr7Hb44+/e7hpLc9eFWpB+otSNhN5bTK+x3pKinHgSpGQPIHbQ5haB0NIS
3J5gDbSeRtYbId4IYfbF6ZmaMqUDzpTBT+gStV+0dXGY3dWjtRDG9G9nAAWiIn8x
7Z+xriRAYo5M03fuKowCQioXNsS790OtIM8tK0E4ZU4w5FyFsWt1o9361weOuxJx
kYd8kxF5enAOEGCunGAGgUWo5ze+92TSPJJinSmBv8zNxi9gBf85FurWNh9ANS7T
EHk2SiVdqjP55y4wDlMgSZ59dgHkgok6A3Z4xNIe34ygmPy6OsGHECf3HswEajMW
9fI3+9O7vJF5/hA+iF1Z5LJjNT0i5DEugTbkejnf2EzrfGkqs2GFWY0BzygAvf8H
PNOkXsgYdMZkaK6EWYOeW2unENQ1+/eT+tpqwu2FvLkCHFDcBwXY1WpXztUnfilb
1C3HcKvF3q/yFuy8uaV0K/+R9iUJJRKVXw8mmuhzLt8vmoNWrec9BVxbKRlTgh4s
29IUAvrn6NOSnEjj+aP19QwDE9oUVAh0S+tj65C5V2Ft94EawlvYXHZK6cAeuXcw
H1n2tqwhW2AzLggF8P4O
=+kWZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.