Date: Wed, 20 Feb 2013 23:35:55 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: kk@...suke.org Subject: Re: Jenkins CVE request for Jenkins Security Advisory 2013-02-16 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok no reply from anyone on this so I'm moving ahead. On 02/17/2013 07:56 PM, Kurt Seifried wrote: > I'm trying to sort out this security advisory so CVE #'s can be > assigned to it, can you (kk@) please comment on this? thanks. > > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16 > > ============== One of the vulnerabilities allows cross-site > request forgery (CSRF) attacks on Jenkins master, which causes an > user to make unwanted actions on Jenkins. Please use CVE-2013-0327 for this issue. > Another vulnerability enables cross-site scripting (XSS) attacks, > which has the similar consequence. Please use CVE-2013-0328 for this issue. > Another vulnerability allowed an attacker to bypass the CSRF > protection mechanism in place, thereby mounting more CSRF > attackes. These attacks allow an attacker without direct access to > Jenkins to mount an attack. Please use CVE-2013-0329 for this issue. > In the fourth vulnerability, a malicious user of Jenkins can trick > Jenkins into building jobs that he does not have direct access to. Please use CVE-2013-0330 for this issue. > And lastly, a vulnerability allows a malicious user of Jenkins to > mount a denial of service attack by feeding a carefully crafted > payload to Jenkins. Please use CVE-2013-0331 for this issue. > ================ > > So it sounds like 2 CSRF, 1 XSS, 1 "can trick Jenkins into building > jobs that he does not have direct access to" (permissions bypass?) and > a denial of service. > > The 2 CSRF ones, were they discovered by separate researchers or the > same person? Can you provide the code patches that fix them so I can > see more details? Thanks. Since I have to guess I'm splitting them, they can be merged if it later turns out to be the case. > Also if you want to get CVE #'s for Jenkins advisories please do not > hesitate to contact me/secalert@...hat.com, this will make tracking > these issues a lot easier! Again, if you want CVE's for your issues please do not hesitate to contact me or secalert@...hat.com! - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRJcBLAAoJEBYNRVNeJnmTbosQAInb6WnXlr8OoGvW6DhGfOuY A2rCCDJ4aUbudnoiJsfNOVowUd4Cxwwu1yngfr4XEU55sFS3o4V0ZOJ94m2syLdx 3lCu4nCIg5SHZR1MJyC4EshF+FwM5GkY/VKcbnrZEIxdTHnUDPUGLOSFnjrfElqM KQVYQqrG2EgFXog5OVz4DhFNS05/3z38MwZzs74plmevj0jO7a9EMXQ/K8AFDGsO cApGX2pQC9olrur1ansj2N5JDmPCuToHcW0AEj4tHTZDVSHGdqN/kJ1aN9Q7+UQr YYZqBncsBQI8iivWyedmdgh+v3ZhLZDkBhovb2bG/yVmo/CNfj/72HQLnvzAGezn f19bmiNP1N083qY5jTXjAp6B1Ya8co9aIOmYnuagcRIJfaXntb53xTn+MTZ/PF/U NGDs57Mw8+496qBvx1yZQlEy7F3qZWgKvK0qO6pBnvT7rm2tqzZ8fpsOr8b2lQB3 or8uLOGswH54kLF1n0Zr/Xi8qSApvzrfyKvwcWs4rK6mb+++ADnuDHipFzESy4W8 6ieGIupUFOoHJdFyb+oju4cTk1wn4euYiTpU/gvOQXBRGkKUFbldPpbr/Sh6B2BG y6hoR4ucO6I6dEO8hVuY49Ny074ubRVtCNhsisGA4uYnxVk8hNSYv3R/uPhObPe+ /vKiQ3/u87IC21mRQB26 =BIYo -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ