Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 25 Jan 2018 10:01:56 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins plugins


> On 22. Jan 2018, at 12:35, Daniel Beck <ml@...kweb.net> wrote:
> 
> SECURITY-655 (PMD)

CVE-2018-1000008

> SECURITY-656 (Checkstyle)

CVE-2018-1000009

> SECURITY-657 (DRY)

CVE-2018-1000010

> SECURITY-658 (FindBugs)

CVE-2018-1000011

> SECURITY-695 (Warnings)

CVE-2018-1000012

> Multiple plugins based on the Static Analysis Utilities plugin are affected by 
> an XML External Entity (XXE) processing vulnerability. This allows attacker to 
> configure build processes so that one of these plugins parses a maliciously 
> crafted file that uses external entities for extraction of secrets from the 
> Jenkins master, server-side request forgery, or denial-of-service attacks.
> 
> 
> SECURITY-607
> Release plugin did not require form submissions to be submitted via POST, 
> resulting in a CSRF vulnerability allowing attackers to trigger release builds.

CVE-2018-1000013

> SECURITY-507
> Translation Assistance did not require form submissions to be submitted via 
> POST, resulting in a CSRF vulnerability allowing attackers to override 
> localized strings displayed to all users on the current Jenkins instance if 
> the victim is a Jenkins administrator.

CVE-2018-1000014

> SECURITY-675
> On instances with Authorize Project plugin, the authentication associated with 
> a build may lack the Computer/Build permission on some agents. This did not 
> prevent the execution of Pipeline `node` blocks on those agents due to 
> incorrect permissions checks in Pipeline: Nodes and Processes plugin.

CVE-2018-1000015

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ