Date: Thu, 25 Jan 2018 10:01:56 +0100 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Re: Multiple vulnerabilities in Jenkins plugins > On 22. Jan 2018, at 12:35, Daniel Beck <ml@...kweb.net> wrote: > > SECURITY-655 (PMD) CVE-2018-1000008 > SECURITY-656 (Checkstyle) CVE-2018-1000009 > SECURITY-657 (DRY) CVE-2018-1000010 > SECURITY-658 (FindBugs) CVE-2018-1000011 > SECURITY-695 (Warnings) CVE-2018-1000012 > Multiple plugins based on the Static Analysis Utilities plugin are affected by > an XML External Entity (XXE) processing vulnerability. This allows attacker to > configure build processes so that one of these plugins parses a maliciously > crafted file that uses external entities for extraction of secrets from the > Jenkins master, server-side request forgery, or denial-of-service attacks. > > > SECURITY-607 > Release plugin did not require form submissions to be submitted via POST, > resulting in a CSRF vulnerability allowing attackers to trigger release builds. CVE-2018-1000013 > SECURITY-507 > Translation Assistance did not require form submissions to be submitted via > POST, resulting in a CSRF vulnerability allowing attackers to override > localized strings displayed to all users on the current Jenkins instance if > the victim is a Jenkins administrator. CVE-2018-1000014 > SECURITY-675 > On instances with Authorize Project plugin, the authentication associated with > a build may lack the Computer/Build permission on some agents. This did not > prevent the execution of Pipeline `node` blocks on those agents due to > incorrect permissions checks in Pipeline: Nodes and Processes plugin. CVE-2018-1000015
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.