Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Feb 2014 22:39:46 -0500 (EST)
Subject: Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14)

Hash: SHA1

> | In some places, Jenkins XML API uses XStream to deserialize arbitrary
> | content, which is affected by CVE-2013-7285 reported against XStream.
> | This allows malicious users of Jenkins with a limited set of permissions
> | to execute arbitrary code inside Jenkins master.

MITRE may be making a CVE assignment for SECURITY-105, but it won't be
immediate because we need to discuss that one internally within our
team more. This is related to:

not existing yet.

> where for SECURITY-76 and SECURITY-88 CVE-2013-5573 was assigned

> SECURITY-76 & SECURITY-88 / CVE-2013-5573
> | Restrictions of HTML tags for user-editable contents are too lax. This
> | allows malicious users of Jenkins to trick other unsuspecting users into
> | providing sensitive information.

The vendor says "SECURITY-76 & SECURITY-88 / CVE-2013-5573" on that
"Jenkins Security Advisory 2014-02-14" page, but the originally
intended scope of CVE-2013-5573 is only the issue involving FORM
elements (aka SECURITY-88), not the issue involving IFRAME elements
(aka SECURITY-76). This may be just a parsing difference. We believe

   SECURITY-76 & ( SECURITY-88 / CVE-2013-5573 )


   ( SECURITY-76 & SECURITY-88 ) / CVE-2013-5573

The commit that you didn't list is:

The IFRAME issue wasn't part of the original disclosures such as so we normally can't change
the scope of CVE-2013-5573 to include it later. and apparently are not
public, and could possibly have clarifying information (e.g., if there
were a later finding that only FORM is exploitable, and IFRAME isn't
actually exploitable). Unless that information becomes available and
suggests a different course of action, we will proceed to assign a new
CVE-2013-#### ID for SECURITY-76 soon.


Use CVE-2013-7330.

> | Plugging a hole in the earlier fix to SECURITY-55. Under some
> | circumstances, a malicious user of Jenkins can configure job X to
> | trigger another job Y that the user has no access to.

Use CVE-2014-2058.

> | CLI job creation had a directory traversal vulnerability. This allows a
> | malicious user of Jenkins with a limited set of permissions to overwrite
> | files in the Jenkins master and escalate privileges.

Use CVE-2014-2059.

> | The embedded Winstone servlet container is susceptible to session
> | hijacking attack.
> (issue in jenkins-winstone?)

Use CVE-2014-2060.

> | The password input control in the password parameter definition in the
> | Jenkins UI was serving the actual value of the password in HTML, not an
> | encrypted one. If a sensitive value is set as the default value of such
> | a parameter definition, it can be exposed to unintended audience.

Use CVE-2014-2061.

> | Deleting the user was not invalidating the API token, allowing users to
> | access Jenkins when they shouldn't be allowed to do so.

Use CVE-2014-2062.

> | Jenkins UI was vulnerable to click jacking attacks.

Use CVE-2014-2063.

> | "Jenkins' own user database" was revealing the presence/absence of users
> | when login attempts fail.

Use CVE-2014-2064.

> | Jenkins had a cross-site scripting vulnerability in one of its cookies.
> | If Jenkins is deployed in an environment that allows an attacker to
> | override Jenkins cookies in victim's browser, this vulnerability can be
> | exploited.

Use CVE-2014-2065. This is an input-validation issue but perhaps
shouldn't be categorized as a standard XSS issue because of the
unusual threat model.

> | Jenkins was vulnerable to session fixation attack. If Jenkins is
> | deployed in an environment that allows an attacker to override Jenkins
> | cookies in victim's browser, this vulnerability can be exploited.

Use CVE-2014-2066. Again, the unusual threat model might limit the practical
relevance of this.

> | Stored XSS vulnerability. A malicious user of Jenkins with a certain set
> | of permissions can cause Jenkins to store arbitrary HTML fragment.

Use CVE-2014-2067.

> | Some of the system diagnostic functionalities were checking a lesser
> | permission than it should have. In a very limited circumstances, this
> | can cause an attacker to gain information that he shouldn't have
> | access to.

Use CVE-2014-2068.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.