Date: Sat, 18 Nov 2017 08:22:51 +0100 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Re: Multiple vulnerabilities in Jenkins > On 11. Oct 2017, at 18:21, Daniel Beck <ml@...kweb.net> wrote: > > SECURITY-478 > Users with permission to create or configure agents in Jenkins could > configure a launch method called Launch agent via execution of command on > master. This allowed them to run arbitrary shell commands on the master > node whenever the agent was supposed to be launched. CVE-2017-1000393 > SECURITY-514 > Information about Jenkins user accounts is generally available to anyone > with Overall/Read permissions via the /user/(username)/api remote API. This > included e.g. Jenkins users' email addresses if the Mailer Plugin is > installed. CVE-2017-1000395 > SECURITY-555 > Jenkins bundled a version of the commons-httpclient library with the > vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, > making it susceptible to man-in-the-middle attacks. CVE-2017-1000396 > SECURITY-611 > The remote API at /computer/(agent-name)/api showed information about tasks > (typically builds) currently running on that agent. This included > information about tasks that the current user otherwise has no access to, > e.g. due to lack of Job/Read permission. CVE-2017-1000398 > SECURITY-618 > The remote API at /queue/item/(ID)/api showed information about tasks in > the queue (typically builds waiting to start). This included information > about tasks that the current user otherwise has no access to, e.g. due to > lack of Job/Read permission. CVE-2017-1000399 > SECURITY-617 > The remote API at /job/(job-name)/api contained information about upstream > and downstream projects. This included information about tasks that the > current user otherwise has no access to, e.g. due to lack of Job/Read > permission. CVE-2017-1000400 > SECURITY-616 > The Jenkins default form control for passwords and other secrets, > <f:password/>, supports form validation (e.g. for API keys). The form > validation AJAX requests were sent via GET, which could result in secrets > being logged to a HTTP access log in non-default configurations of > Jenkins, and made available to users with access to these log files. CVE-2017-1000401
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.