Date: Wed, 14 Feb 2018 16:35:43 +0100 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Multiple vulnerabilities in Jenkins Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * Jenkins (weekly) 2.107 * Jenkins (LTS) 2.89.4 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2018-02-14/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you find security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-506 The form validation for the proxy configuration form did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL, optionally with a specified proxy configuration. If that request’s HTTP response code indicates success, the form validation is returning a generic success message, otherwise the HTTP status code is returned. It was not possible to reuse an existing proxy configuration to send those requests; that configuration had to be provided by the attacker. SECURITY-705 / CVE-2018-6356 Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded. SECURITY-717 Jenkins did not take into account case-insensitive file systems when preventing access to plugin resource files that should not be accessible. This allowed users with Overall/Read permission to download plugin resource files in META-INF and WEB-INF directories, such as the plugins' JAR files, which could contain hardcoded secrets.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ