Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Feb 2014 22:39:46 -0500 (EST)
Subject: Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14)

Hash: SHA1

> | In some places, Jenkins XML API uses XStream to deserialize arbitrary
> | content, which is affected by CVE-2013-7285 reported against XStream.
> | This allows malicious users of Jenkins with a limited set of permissions
> | to execute arbitrary code inside Jenkins master.

MITRE may be making a CVE assignment for SECURITY-105, but it won't be
immediate because we need to discuss that one internally within our
team more. This is related to:

not existing yet.

> where for SECURITY-76 and SECURITY-88 CVE-2013-5573 was assigned

> SECURITY-76 & SECURITY-88 / CVE-2013-5573
> | Restrictions of HTML tags for user-editable contents are too lax. This
> | allows malicious users of Jenkins to trick other unsuspecting users into
> | providing sensitive information.

The vendor says "SECURITY-76 & SECURITY-88 / CVE-2013-5573" on that
"Jenkins Security Advisory 2014-02-14" page, but the originally
intended scope of CVE-2013-5573 is only the issue involving FORM
elements (aka SECURITY-88), not the issue involving IFRAME elements
(aka SECURITY-76). This may be just a parsing difference. We believe

   SECURITY-76 & ( SECURITY-88 / CVE-2013-5573 )


   ( SECURITY-76 & SECURITY-88 ) / CVE-2013-5573

The commit that you didn't list is:

The IFRAME issue wasn't part of the original disclosures such as so we normally can't change
the scope of CVE-2013-5573 to include it later. and apparently are not
public, and could possibly have clarifying information (e.g., if there
were a later finding that only FORM is exploitable, and IFRAME isn't
actually exploitable). Unless that information becomes available and
suggests a different course of action, we will proceed to assign a new
CVE-2013-#### ID for SECURITY-76 soon.


Use CVE-2013-7330.

> | Plugging a hole in the earlier fix to SECURITY-55. Under some
> | circumstances, a malicious user of Jenkins can configure job X to
> | trigger another job Y that the user has no access to.

Use CVE-2014-2058.

> | CLI job creation had a directory traversal vulnerability. This allows a
> | malicious user of Jenkins with a limited set of permissions to overwrite
> | files in the Jenkins master and escalate privileges.

Use CVE-2014-2059.

> | The embedded Winstone servlet container is susceptible to session
> | hijacking attack.
> (issue in jenkins-winstone?)

Use CVE-2014-2060.

> | The password input control in the password parameter definition in the
> | Jenkins UI was serving the actual value of the password in HTML, not an
> | encrypted one. If a sensitive value is set as the default value of such
> | a parameter definition, it can be exposed to unintended audience.

Use CVE-2014-2061.

> | Deleting the user was not invalidating the API token, allowing users to
> | access Jenkins when they shouldn't be allowed to do so.

Use CVE-2014-2062.

> | Jenkins UI was vulnerable to click jacking attacks.

Use CVE-2014-2063.

> | "Jenkins' own user database" was revealing the presence/absence of users
> | when login attempts fail.

Use CVE-2014-2064.

> | Jenkins had a cross-site scripting vulnerability in one of its cookies.
> | If Jenkins is deployed in an environment that allows an attacker to
> | override Jenkins cookies in victim's browser, this vulnerability can be
> | exploited.

Use CVE-2014-2065. This is an input-validation issue but perhaps
shouldn't be categorized as a standard XSS issue because of the
unusual threat model.

> | Jenkins was vulnerable to session fixation attack. If Jenkins is
> | deployed in an environment that allows an attacker to override Jenkins
> | cookies in victim's browser, this vulnerability can be exploited.

Use CVE-2014-2066. Again, the unusual threat model might limit the practical
relevance of this.

> | Stored XSS vulnerability. A malicious user of Jenkins with a certain set
> | of permissions can cause Jenkins to store arbitrary HTML fragment.

Use CVE-2014-2067.

> | Some of the system diagnostic functionalities were checking a lesser
> | permission than it should have. In a very limited circumstances, this
> | can cause an attacker to gain information that he shouldn't have
> | access to.

Use CVE-2014-2068.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ