Date: Mon, 20 Jan 2014 10:31:41 +1100 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com CC: Reed Loden <reed@...dloden.com>, Kurt Seifried <kseifrie@...hat.com> Subject: Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page On 01/17/2014 05:39 PM, Reed Loden wrote: > On Fri, 17 Jan 2014 13:02:03 +1100 > Murray McAllister <mmcallis@...hat.com> wrote: > >> We recently received a report from Teguh P. Alko about an issue >> affecting Jenkins. Input was not sanitized before adding it to the page. >> The fix is public here since the start of 2013: >> >> https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e > > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16 > is the security advisory that includes the above fix. > >> This could be used for copy and paste attacks, with the end result being >> similar to that of cross-site scripting attacks. It has been assigned >> CVE-2013-6488. > > Fairly sure that's just a dupe of CVE-2013-0328. See > http://seclists.org/oss-sec/2013/q1/368. It is a dupe :( Thanks for pointing this out. -- Murray McAllister / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ