Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 18 Jul 2018 18:32:10 +0200
From: Daniel Beck <>
Subject: Re: Multiple vulnerabilities in Jenkins

> On 18. Jul 2018, at 16:38, Daniel Beck <> wrote:
> Unauthenticated users could provide maliciously crafted login credentials 
> that cause Jenkins to move the config.xml file from the Jenkins home 
> directory. This configuration file contains basic configuration of 
> Jenkins, including the selected security realm and authorization strategy. 
> If Jenkins is started without this file present, it will revert to the 
> legacy defaults of granting administrator access to anonymous users.


> An arbitrary file read vulnerability in the Stapler web framework used by 
> Jenkins allowed unauthenticated users to send crafted HTTP requests 
> returning the contents of any file on the Jenkins master file system that 
> the Jenkins master process has access to.


> The URLs handling cancellation of queued builds did not perform a 
> permission check, allowing users with Overall/Read permission to cancel 
> queued builds.


> The URL that initiates agent launches on the Jenkins master did not perform 
> a permission check, allowing users with Overall/Read permission to initiate 
> agent launches.


> The build timeline widget shown on URLs like /view/…/builds did not 
> properly escape display names of items. This resulted in a cross-site 
> scripting vulnerability exploitable by users able to control item display 
> names.


> Files indicating when a plugin JPI file was last extracted into a 
> subdirectory of plugins/ in the Jenkins home directory was accessible via 
> HTTP by users with Overall/Read permission. This allowed unauthorized users 
> to determine the likely install date of a given plugin.


> Stapler is the web framework used by Jenkins to route HTTP requests. When 
> its debug mode is enabled, HTTP 404 error pages display diagnostic 
> information. Those error pages did not escape parts of URLs they displayed, 
> in rare cases resulting in a cross-site scripting vulnerability.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ