Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 18 Nov 2017 08:23:48 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins plugins


> On 11. Oct 2017, at 18:25, Daniel Beck <ml@...kweb.net> wrote:
> 
> SECURITY-557
> Maven Plugin bundled a version of the commons-httpclient library with the 
> vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, 
> making it susceptible to man-in-the-middle attacks.

CVE-2017-1000397

> SECURITY-597
> Swarm Plugin Client bundled a version of the commons-httpclient library 
> with the vulnerability CVE-2012-6153 that incorrectly verified SSL 
> certificates, making it susceptible to man-in-the-middle attacks.

CVE-2017-1000402

> SECURITY-623
> Speaks! Plugin allows users with Job/Configure permission to run arbitrary 
> Groovy code inside the Jenkins JVM, effectively elevating privileges to 
> Overall/Run Scripts.

CVE-2017-1000403

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ