Date: Thu, 12 May 2016 00:30:08 +0200 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Jenkins - multiple fixes The Jenkins project published new releases today with fixes for multiple vulnerabilities. Users should upgrade to Jenkins 2.3 or Jenkins 1.651.2: https://jenkins.io/download/ Summary and description of the vulnerabilities are below. Some more details, severity, and attribution can be found here: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you find security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- 1) SECURITY-170 / CVE-2016-3721: Arbitrary build parameters are passed to build scripts as environment variables Build parameters in Jenkins typically are passed to build scripts as environment variables. Some plugins allow passing arbitrary (undeclared) parameters. Depending on access permissions and installed plugins, malicious users were able to trigger builds, passing arbitrary environment variables (e.g. PATH) to modify the behavior of those builds. 2) SECURITY-243 / CVE-2016-3722: Malicious users with multiple user accounts can prevent other users from logging in By changing the freely editable 'full name', malicious users with multiple user accounts could prevent other users from logging in, as 'full name' was resolved before actual user name to determine which account is currently trying to log in. 3) SECURITY-250 / CVE-2016-3723: Information on installed plugins exposed via API The XML/JSON API endpoints providing information about installed plugins were missing permissions checks, allowing any user with read access to Jenkins to determine which plugins and versions were installed. 4) SECURITY-266 / CVE-2016-3724: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration Users with extended read access could access encrypted secrets stored directly in the configuration of those items. 5) SECURITY-273 / CVE-2016-3725: Regular users can trigger download of update site metadata A missing permissions check allowed any user with access to Jenkins to trigger an update of update site metadata. This could be combined with DNS cache poisoning to disrupt Jenkins service. 6) SECURITY-276 / CVE-2016-3726: Open redirect to scheme-relative URLs Some Jenkins URLs did not properly validate the redirect URLs, which allowed malicious users to create URLs that redirect users to arbitrary scheme-relative URLs. 7) SECURITY-281 / CVE-2016-3727: Granting the permission to read node configurations allows access to overall system configuration The API URL /computer/(master)/api/xml allowed users with the 'extended read' permission for the master node to see some global Jenkins configuration, including the configuration of the security realm.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.