Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201402210339.s1L3dkS1000100@linus.mitre.org>
Date: Thu, 20 Feb 2014 22:39:46 -0500 (EST)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> SECURITY-105
> | In some places, Jenkins XML API uses XStream to deserialize arbitrary
> | content, which is affected by CVE-2013-7285 reported against XStream.
> | This allows malicious users of Jenkins with a limited set of permissions
> | to execute arbitrary code inside Jenkins master.
>
> https://github.com/jenkinsci/jenkins/commit/d030fbbaeeb5ee8980b5680b26217930834387f4

MITRE may be making a CVE assignment for SECURITY-105, but it won't be
immediate because we need to discuss that one internally within our
team more. This is related to:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285

not existing yet.


> where for SECURITY-76 and SECURITY-88 CVE-2013-5573 was assigned

> SECURITY-76 & SECURITY-88 / CVE-2013-5573
> | Restrictions of HTML tags for user-editable contents are too lax. This
> | allows malicious users of Jenkins to trick other unsuspecting users into
> | providing sensitive information.
> 
> https://github.com/jenkinsci/jenkins/commit/7541e83cc9812afc2b464f0a3254a2453da53f4c
> https://github.com/jenkinsci/jenkins/commit/535c1115bbf07f8a57d509f2d00598d6e21870d4

The vendor says "SECURITY-76 & SECURITY-88 / CVE-2013-5573" on that
"Jenkins Security Advisory 2014-02-14" page, but the originally
intended scope of CVE-2013-5573 is only the issue involving FORM
elements (aka SECURITY-88), not the issue involving IFRAME elements
(aka SECURITY-76). This may be just a parsing difference. We believe
it's:

   SECURITY-76 & ( SECURITY-88 / CVE-2013-5573 )

not:

   ( SECURITY-76 & SECURITY-88 ) / CVE-2013-5573

The commit that you didn't list is:

  https://github.com/jenkinsci/jenkins/commit/788b7d7a067fad4972fefaaa527141847bfeff55

The IFRAME issue wasn't part of the original disclosures such as
http://www.exploit-db.com/exploits/30408/ so we normally can't change
the scope of CVE-2013-5573 to include it later.
https://issues.jenkins-ci.org/browse/SECURITY-76 and
https://issues.jenkins-ci.org/browse/SECURITY-88 apparently are not
public, and could possibly have clarifying information (e.g., if there
were a later finding that only FORM is exploitable, and IFRAME isn't
actually exploitable). Unless that information becomes available and
suggests a different course of action, we will proceed to assign a new
CVE-2013-#### ID for SECURITY-76 soon.


> SECURITY-55
> https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8

Use CVE-2013-7330.


> SECURITY-109
> | Plugging a hole in the earlier fix to SECURITY-55. Under some
> | circumstances, a malicious user of Jenkins can configure job X to
> | trigger another job Y that the user has no access to.
> 
> https://github.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e

Use CVE-2014-2058.


> SECURITY-108
> | CLI job creation had a directory traversal vulnerability. This allows a
> | malicious user of Jenkins with a limited set of permissions to overwrite
> | files in the Jenkins master and escalate privileges.
> 
> https://github.com/jenkinsci/jenkins/commit/ad38d8480f20ce3cbf8fec3e2003bc83efda4f7d

Use CVE-2014-2059.


> SECURITY-106
> | The embedded Winstone servlet container is susceptible to session
> | hijacking attack.
> 
> https://github.com/jenkinsci/jenkins/commit/29351af4bd01f61715418916fc12c52be46bd9b0
> (issue in jenkins-winstone?)

Use CVE-2014-2060.


> SECURITY-93
> | The password input control in the password parameter definition in the
> | Jenkins UI was serving the actual value of the password in HTML, not an
> | encrypted one. If a sensitive value is set as the default value of such
> | a parameter definition, it can be exposed to unintended audience.
> 
> https://github.com/jenkinsci/jenkins/commit/bf539198564a1108b7b71a973bf7de963a6213ef

Use CVE-2014-2061.


> SECURITY-89
> | Deleting the user was not invalidating the API token, allowing users to
> | access Jenkins when they shouldn't be allowed to do so.
> 
> https://github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3

Use CVE-2014-2062.


> SECURITY-80
> | Jenkins UI was vulnerable to click jacking attacks.
> 
> https://github.com/jenkinsci/jenkins/commit/16931bd7bf7560e26ef98328b8e95e803d0e90f6

Use CVE-2014-2063.


> SECURITY-79
> | "Jenkins' own user database" was revealing the presence/absence of users
> | when login attempts fail.
> 
> https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec

Use CVE-2014-2064.


> SECURITY-77
> | Jenkins had a cross-site scripting vulnerability in one of its cookies.
> | If Jenkins is deployed in an environment that allows an attacker to
> | override Jenkins cookies in victim's browser, this vulnerability can be
> | exploited.
> 
> https://github.com/jenkinsci/jenkins/commit/a0b00508eeb74d7033dc4100eb382df4e8fa72e7

Use CVE-2014-2065. This is an input-validation issue but perhaps
shouldn't be categorized as a standard XSS issue because of the
unusual threat model.


> SECURITY-75
> | Jenkins was vulnerable to session fixation attack. If Jenkins is
> | deployed in an environment that allows an attacker to override Jenkins
> | cookies in victim's browser, this vulnerability can be exploited.
> 
> https://github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842a

Use CVE-2014-2066. Again, the unusual threat model might limit the practical
relevance of this.


> SECURITY-74
> | Stored XSS vulnerability. A malicious user of Jenkins with a certain set
> | of permissions can cause Jenkins to store arbitrary HTML fragment.
> 
> https://github.com/jenkinsci/jenkins/commit/5d57c855f3147bfc5e7fda9252317b428a700014

Use CVE-2014-2067.


> SECURITY-73
> | Some of the system diagnostic functionalities were checking a lesser
> | permission than it should have. In a very limited circumstances, this
> | can cause an attacker to gain information that he shouldn't have
> | access to.
> 
> https://github.com/jenkinsci/jenkins/commit/0530a6645aac10fec005614211660e98db44b5eb

Use CVE-2014-2068.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTBsmDAAoJEKllVAevmvms5NkH/RDlkoZIC6ktfTQtnYRRff4E
JwTVhINZ+fQTpcag3zCivHKzUxcxFOZL1aOntywuWdPDmNVSDorpuN1JDS6nQNgj
gai7aRx+g6ngg+phyAO06oNiAU4NzZm2B84KOtoOccuZWPFw1GOPgkoOT+IyDRes
NvYUgFB9ikcl8fJHroIZr14pwPUnSbVnb1xA3pOvReCdT9HfjYxMvl0Ax6i9g6ok
QLd56C8ARKBmjfHpWCYwVj00GiUshN9jv4rv9h+QdrdRoLvah5PAvMoLY6BoojFB
XVd5dg99XRV/+J/Izz3v1ooeSllncKri48NFSHq8cbJlMxj5YKuTWU2akT/FUC8=
=aoN1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.