Date: Thu, 25 Jan 2018 10:01:56 +0100 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Re: Multiple vulnerabilities in Jenkins plugins > On 22. Jan 2018, at 12:35, Daniel Beck <ml@...kweb.net> wrote: > > SECURITY-655 (PMD) CVE-2018-1000008 > SECURITY-656 (Checkstyle) CVE-2018-1000009 > SECURITY-657 (DRY) CVE-2018-1000010 > SECURITY-658 (FindBugs) CVE-2018-1000011 > SECURITY-695 (Warnings) CVE-2018-1000012 > Multiple plugins based on the Static Analysis Utilities plugin are affected by > an XML External Entity (XXE) processing vulnerability. This allows attacker to > configure build processes so that one of these plugins parses a maliciously > crafted file that uses external entities for extraction of secrets from the > Jenkins master, server-side request forgery, or denial-of-service attacks. > > > SECURITY-607 > Release plugin did not require form submissions to be submitted via POST, > resulting in a CSRF vulnerability allowing attackers to trigger release builds. CVE-2018-1000013 > SECURITY-507 > Translation Assistance did not require form submissions to be submitted via > POST, resulting in a CSRF vulnerability allowing attackers to override > localized strings displayed to all users on the current Jenkins instance if > the victim is a Jenkins administrator. CVE-2018-1000014 > SECURITY-675 > On instances with Authorize Project plugin, the authentication associated with > a build may lack the Computer/Build permission on some agents. This did not > prevent the execution of Pipeline `node` blocks on those agents due to > incorrect permissions checks in Pipeline: Nodes and Processes plugin. CVE-2018-1000015
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.