Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 18 Nov 2017 08:22:51 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins


> On 11. Oct 2017, at 18:21, Daniel Beck <ml@...kweb.net> wrote:
> 
> SECURITY-478
> Users with permission to create or configure agents in Jenkins could 
> configure a launch method called Launch agent via execution of command on 
> master. This allowed them to run arbitrary shell commands on the master 
> node whenever the agent was supposed to be launched.

CVE-2017-1000393

> SECURITY-514
> Information about Jenkins user accounts is generally available to anyone 
> with Overall/Read permissions via the /user/(username)/api remote API. This 
> included e.g. Jenkins users' email addresses if the Mailer Plugin is 
> installed.

CVE-2017-1000395

> SECURITY-555
> Jenkins bundled a version of the commons-httpclient library with the 
> vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, 
> making it susceptible to man-in-the-middle attacks.

CVE-2017-1000396

> SECURITY-611
> The remote API at /computer/(agent-name)/api showed information about tasks 
> (typically builds) currently running on that agent. This included 
> information about tasks that the current user otherwise has no access to, 
> e.g. due to lack of Job/Read permission.

CVE-2017-1000398

> SECURITY-618
> The remote API at /queue/item/(ID)/api showed information about tasks in 
> the queue (typically builds waiting to start). This included information 
> about tasks that the current user otherwise has no access to, e.g. due to 
> lack of Job/Read permission.

CVE-2017-1000399

> SECURITY-617
> The remote API at /job/(job-name)/api contained information about upstream 
> and downstream projects. This included information about tasks that the 
> current user otherwise has no access to, e.g. due to lack of Job/Read 
> permission.

CVE-2017-1000400

> SECURITY-616
> The Jenkins default form control for passwords and other secrets, 
> <f:password/>, supports form validation (e.g. for API keys). The form 
> validation AJAX requests were sent via GET, which could result in secrets 
> being logged to a HTTP access log in non-default configurations of 
> Jenkins, and made available to users with access to these log files.

CVE-2017-1000401

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ