Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Jan 2014 13:02:03 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
CC: reed@...dloden.com
Subject: CVE-2013-6488: Jenkins fails to sanitize input before adding it to
 the page

Hi all,

We recently received a report from Teguh P. Alko about an issue 
affecting Jenkins. Input was not sanitized before adding it to the page. 
The fix is public here since the start of 2013:

https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e

This could be used for copy and paste attacks, with the end result being 
similar to that of cross-site scripting attacks. It has been assigned 
CVE-2013-6488.

Please credit at least "Teguh P. Alko" in any advisories.

I am Cc'ing Reed to see if he knows who the other independent reporter 
is (from that Jira "SECURITY-46" bug in the above commit; as I 
understand it those bugs are not made public but I could be wrong).

Cheers,

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ