Date: Fri, 17 Jan 2014 13:02:03 +1100 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com CC: reed@...dloden.com Subject: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page Hi all, We recently received a report from Teguh P. Alko about an issue affecting Jenkins. Input was not sanitized before adding it to the page. The fix is public here since the start of 2013: https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e This could be used for copy and paste attacks, with the end result being similar to that of cross-site scripting attacks. It has been assigned CVE-2013-6488. Please credit at least "Teguh P. Alko" in any advisories. I am Cc'ing Reed to see if he knows who the other independent reporter is (from that Jira "SECURITY-46" bug in the above commit; as I understand it those bugs are not made public but I could be wrong). Cheers, -- Murray McAllister / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ