Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Feb 2014 22:39:46 -0500 (EST)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> SECURITY-105
> | In some places, Jenkins XML API uses XStream to deserialize arbitrary
> | content, which is affected by CVE-2013-7285 reported against XStream.
> | This allows malicious users of Jenkins with a limited set of permissions
> | to execute arbitrary code inside Jenkins master.
>
> https://github.com/jenkinsci/jenkins/commit/d030fbbaeeb5ee8980b5680b26217930834387f4

MITRE may be making a CVE assignment for SECURITY-105, but it won't be
immediate because we need to discuss that one internally within our
team more. This is related to:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285

not existing yet.


> where for SECURITY-76 and SECURITY-88 CVE-2013-5573 was assigned

> SECURITY-76 & SECURITY-88 / CVE-2013-5573
> | Restrictions of HTML tags for user-editable contents are too lax. This
> | allows malicious users of Jenkins to trick other unsuspecting users into
> | providing sensitive information.
> 
> https://github.com/jenkinsci/jenkins/commit/7541e83cc9812afc2b464f0a3254a2453da53f4c
> https://github.com/jenkinsci/jenkins/commit/535c1115bbf07f8a57d509f2d00598d6e21870d4

The vendor says "SECURITY-76 & SECURITY-88 / CVE-2013-5573" on that
"Jenkins Security Advisory 2014-02-14" page, but the originally
intended scope of CVE-2013-5573 is only the issue involving FORM
elements (aka SECURITY-88), not the issue involving IFRAME elements
(aka SECURITY-76). This may be just a parsing difference. We believe
it's:

   SECURITY-76 & ( SECURITY-88 / CVE-2013-5573 )

not:

   ( SECURITY-76 & SECURITY-88 ) / CVE-2013-5573

The commit that you didn't list is:

  https://github.com/jenkinsci/jenkins/commit/788b7d7a067fad4972fefaaa527141847bfeff55

The IFRAME issue wasn't part of the original disclosures such as
http://www.exploit-db.com/exploits/30408/ so we normally can't change
the scope of CVE-2013-5573 to include it later.
https://issues.jenkins-ci.org/browse/SECURITY-76 and
https://issues.jenkins-ci.org/browse/SECURITY-88 apparently are not
public, and could possibly have clarifying information (e.g., if there
were a later finding that only FORM is exploitable, and IFRAME isn't
actually exploitable). Unless that information becomes available and
suggests a different course of action, we will proceed to assign a new
CVE-2013-#### ID for SECURITY-76 soon.


> SECURITY-55
> https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8

Use CVE-2013-7330.


> SECURITY-109
> | Plugging a hole in the earlier fix to SECURITY-55. Under some
> | circumstances, a malicious user of Jenkins can configure job X to
> | trigger another job Y that the user has no access to.
> 
> https://github.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e

Use CVE-2014-2058.


> SECURITY-108
> | CLI job creation had a directory traversal vulnerability. This allows a
> | malicious user of Jenkins with a limited set of permissions to overwrite
> | files in the Jenkins master and escalate privileges.
> 
> https://github.com/jenkinsci/jenkins/commit/ad38d8480f20ce3cbf8fec3e2003bc83efda4f7d

Use CVE-2014-2059.


> SECURITY-106
> | The embedded Winstone servlet container is susceptible to session
> | hijacking attack.
> 
> https://github.com/jenkinsci/jenkins/commit/29351af4bd01f61715418916fc12c52be46bd9b0
> (issue in jenkins-winstone?)

Use CVE-2014-2060.


> SECURITY-93
> | The password input control in the password parameter definition in the
> | Jenkins UI was serving the actual value of the password in HTML, not an
> | encrypted one. If a sensitive value is set as the default value of such
> | a parameter definition, it can be exposed to unintended audience.
> 
> https://github.com/jenkinsci/jenkins/commit/bf539198564a1108b7b71a973bf7de963a6213ef

Use CVE-2014-2061.


> SECURITY-89
> | Deleting the user was not invalidating the API token, allowing users to
> | access Jenkins when they shouldn't be allowed to do so.
> 
> https://github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3

Use CVE-2014-2062.


> SECURITY-80
> | Jenkins UI was vulnerable to click jacking attacks.
> 
> https://github.com/jenkinsci/jenkins/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6

Use CVE-2014-2063.


> SECURITY-79
> | "Jenkins' own user database" was revealing the presence/absence of users
> | when login attempts fail.
> 
> https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec

Use CVE-2014-2064.


> SECURITY-77
> | Jenkins had a cross-site scripting vulnerability in one of its cookies.
> | If Jenkins is deployed in an environment that allows an attacker to
> | override Jenkins cookies in victim's browser, this vulnerability can be
> | exploited.
> 
> https://github.com/jenkinsci/jenkins/commit/a0b00508eeb74d7033dc4100eb382df4e8fa72e7

Use CVE-2014-2065. This is an input-validation issue but perhaps
shouldn't be categorized as a standard XSS issue because of the
unusual threat model.


> SECURITY-75
> | Jenkins was vulnerable to session fixation attack. If Jenkins is
> | deployed in an environment that allows an attacker to override Jenkins
> | cookies in victim's browser, this vulnerability can be exploited.
> 
> https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a

Use CVE-2014-2066. Again, the unusual threat model might limit the practical
relevance of this.


> SECURITY-74
> | Stored XSS vulnerability. A malicious user of Jenkins with a certain set
> | of permissions can cause Jenkins to store arbitrary HTML fragment.
> 
> https://github.com/jenkinsci/jenkins/commit/5d57c855f3147bfc5e7fda9252317b428a700014

Use CVE-2014-2067.


> SECURITY-73
> | Some of the system diagnostic functionalities were checking a lesser
> | permission than it should have. In a very limited circumstances, this
> | can cause an attacker to gain information that he shouldn't have
> | access to.
> 
> https://github.com/jenkinsci/jenkins/commit/0530a6645aac10fec005614211660e98db44b5eb

Use CVE-2014-2068.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTBsmDAAoJEKllVAevmvms5NkH/RDlkoZIC6ktfTQtnYRRff4E
JwTVhINZ+fQTpcag3zCivHKzUxcxFOZL1aOntywuWdPDmNVSDorpuN1JDS6nQNgj
gai7aRx+g6ngg+phyAO06oNiAU4NzZm2B84KOtoOccuZWPFw1GOPgkoOT+IyDRes
NvYUgFB9ikcl8fJHroIZr14pwPUnSbVnb1xA3pOvReCdT9HfjYxMvl0Ax6i9g6ok
QLd56C8ARKBmjfHpWCYwVj00GiUshN9jv4rv9h+QdrdRoLvah5PAvMoLY6BoojFB
XVd5dg99XRV/+J/Izz3v1ooeSllncKri48NFSHq8cbJlMxj5YKuTWU2akT/FUC8=
=aoN1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ