Date: Thu, 20 Feb 2014 22:39:46 -0500 (EST) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > SECURITY-105 > | In some places, Jenkins XML API uses XStream to deserialize arbitrary > | content, which is affected by CVE-2013-7285 reported against XStream. > | This allows malicious users of Jenkins with a limited set of permissions > | to execute arbitrary code inside Jenkins master. > > https://github.com/jenkinsci/jenkins/commit/d030fbbaeeb5ee8980b5680b26217930834387f4 MITRE may be making a CVE assignment for SECURITY-105, but it won't be immediate because we need to discuss that one internally within our team more. This is related to: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285 not existing yet. > where for SECURITY-76 and SECURITY-88 CVE-2013-5573 was assigned > SECURITY-76 & SECURITY-88 / CVE-2013-5573 > | Restrictions of HTML tags for user-editable contents are too lax. This > | allows malicious users of Jenkins to trick other unsuspecting users into > | providing sensitive information. > > https://github.com/jenkinsci/jenkins/commit/7541e83cc9812afc2b464f0a3254a2453da53f4c > https://github.com/jenkinsci/jenkins/commit/535c1115bbf07f8a57d509f2d00598d6e21870d4 The vendor says "SECURITY-76 & SECURITY-88 / CVE-2013-5573" on that "Jenkins Security Advisory 2014-02-14" page, but the originally intended scope of CVE-2013-5573 is only the issue involving FORM elements (aka SECURITY-88), not the issue involving IFRAME elements (aka SECURITY-76). This may be just a parsing difference. We believe it's: SECURITY-76 & ( SECURITY-88 / CVE-2013-5573 ) not: ( SECURITY-76 & SECURITY-88 ) / CVE-2013-5573 The commit that you didn't list is: https://github.com/jenkinsci/jenkins/commit/788b7d7a067fad4972fefaaa527141847bfeff55 The IFRAME issue wasn't part of the original disclosures such as http://www.exploit-db.com/exploits/30408/ so we normally can't change the scope of CVE-2013-5573 to include it later. https://issues.jenkins-ci.org/browse/SECURITY-76 and https://issues.jenkins-ci.org/browse/SECURITY-88 apparently are not public, and could possibly have clarifying information (e.g., if there were a later finding that only FORM is exploitable, and IFRAME isn't actually exploitable). Unless that information becomes available and suggests a different course of action, we will proceed to assign a new CVE-2013-#### ID for SECURITY-76 soon. > SECURITY-55 > https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8 Use CVE-2013-7330. > SECURITY-109 > | Plugging a hole in the earlier fix to SECURITY-55. Under some > | circumstances, a malicious user of Jenkins can configure job X to > | trigger another job Y that the user has no access to. > > https://github.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e Use CVE-2014-2058. > SECURITY-108 > | CLI job creation had a directory traversal vulnerability. This allows a > | malicious user of Jenkins with a limited set of permissions to overwrite > | files in the Jenkins master and escalate privileges. > > https://github.com/jenkinsci/jenkins/commit/ad38d8480f20ce3cbf8fec3e2003bc83efda4f7d Use CVE-2014-2059. > SECURITY-106 > | The embedded Winstone servlet container is susceptible to session > | hijacking attack. > > https://github.com/jenkinsci/jenkins/commit/29351af4bd01f61715418916fc12c52be46bd9b0 > (issue in jenkins-winstone?) Use CVE-2014-2060. > SECURITY-93 > | The password input control in the password parameter definition in the > | Jenkins UI was serving the actual value of the password in HTML, not an > | encrypted one. If a sensitive value is set as the default value of such > | a parameter definition, it can be exposed to unintended audience. > > https://github.com/jenkinsci/jenkins/commit/bf539198564a1108b7b71a973bf7de963a6213ef Use CVE-2014-2061. > SECURITY-89 > | Deleting the user was not invalidating the API token, allowing users to > | access Jenkins when they shouldn't be allowed to do so. > > https://github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3 Use CVE-2014-2062. > SECURITY-80 > | Jenkins UI was vulnerable to click jacking attacks. > > https://github.com/jenkinsci/jenkins/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6 Use CVE-2014-2063. > SECURITY-79 > | "Jenkins' own user database" was revealing the presence/absence of users > | when login attempts fail. > > https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec Use CVE-2014-2064. > SECURITY-77 > | Jenkins had a cross-site scripting vulnerability in one of its cookies. > | If Jenkins is deployed in an environment that allows an attacker to > | override Jenkins cookies in victim's browser, this vulnerability can be > | exploited. > > https://github.com/jenkinsci/jenkins/commit/a0b00508eeb74d7033dc4100eb382df4e8fa72e7 Use CVE-2014-2065. This is an input-validation issue but perhaps shouldn't be categorized as a standard XSS issue because of the unusual threat model. > SECURITY-75 > | Jenkins was vulnerable to session fixation attack. If Jenkins is > | deployed in an environment that allows an attacker to override Jenkins > | cookies in victim's browser, this vulnerability can be exploited. > > https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a Use CVE-2014-2066. Again, the unusual threat model might limit the practical relevance of this. > SECURITY-74 > | Stored XSS vulnerability. A malicious user of Jenkins with a certain set > | of permissions can cause Jenkins to store arbitrary HTML fragment. > > https://github.com/jenkinsci/jenkins/commit/5d57c855f3147bfc5e7fda9252317b428a700014 Use CVE-2014-2067. > SECURITY-73 > | Some of the system diagnostic functionalities were checking a lesser > | permission than it should have. In a very limited circumstances, this > | can cause an attacker to gain information that he shouldn't have > | access to. > > https://github.com/jenkinsci/jenkins/commit/0530a6645aac10fec005614211660e98db44b5eb Use CVE-2014-2068. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTBsmDAAoJEKllVAevmvms5NkH/RDlkoZIC6ktfTQtnYRRff4E JwTVhINZ+fQTpcag3zCivHKzUxcxFOZL1aOntywuWdPDmNVSDorpuN1JDS6nQNgj gai7aRx+g6ngg+phyAO06oNiAU4NzZm2B84KOtoOccuZWPFw1GOPgkoOT+IyDRes NvYUgFB9ikcl8fJHroIZr14pwPUnSbVnb1xA3pOvReCdT9HfjYxMvl0Ax6i9g6ok QLd56C8ARKBmjfHpWCYwVj00GiUshN9jv4rv9h+QdrdRoLvah5PAvMoLY6BoojFB XVd5dg99XRV/+J/Izz3v1ooeSllncKri48NFSHq8cbJlMxj5YKuTWU2akT/FUC8= =aoN1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.