Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Jan 2014 22:39:51 -0800
From: Reed Loden <>
Subject: Re: CVE-2013-6488: Jenkins fails to sanitize input
 before adding it to the page

On Fri, 17 Jan 2014 13:02:03 +1100
Murray McAllister <> wrote:

> We recently received a report from Teguh P. Alko about an issue 
> affecting Jenkins. Input was not sanitized before adding it to the page. 
> The fix is public here since the start of 2013:
is the security advisory that includes the above fix.

> This could be used for copy and paste attacks, with the end result being 
> similar to that of cross-site scripting attacks. It has been assigned 
> CVE-2013-6488.

Fairly sure that's just a dupe of CVE-2013-0328. See

> Please credit at least "Teguh P. Alko" in any advisories.

Why? He/she's not the original reporter.

> I am Cc'ing Reed to see if he knows who the other independent reporter 
> is (from that Jira "SECURITY-46" bug in the above commit; as I 
> understand it those bugs are not made public but I could be wrong).

Jenkins's SECURITY-46 maps to, which I just
opened up. The reporter is "Atulkumar Hariba Shedage".

Hope that helps.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ