Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Feb 2018 16:35:43 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins

Jenkins is an open source automation server which enables developers around 
the world to reliably build, test, and deploy their software. The following 
releases contain fixes for security vulnerabilities:

* Jenkins (weekly) 2.107
* Jenkins (LTS) 2.89.4

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2018-02-14/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you find security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-506
The form validation for the proxy configuration form did not check the 
permission of the user accessing it, allowing anyone with Overall/Read 
access to Jenkins to cause Jenkins to send a GET request to a specified 
URL, optionally with a specified proxy configuration.

If that request’s HTTP response code indicates success, the form validation 
is returning a generic success message, otherwise the HTTP status code is 
returned. It was not possible to reuse an existing proxy configuration to 
send those requests; that configuration had to be provided by the attacker.


SECURITY-705 / CVE-2018-6356
Jenkins did not properly prevent specifying relative paths that escape a 
base directory for URLs accessing plugin resource files. This allowed users 
with Overall/Read permission to download files from the Jenkins master they 
should not have access to.

On Windows, any file accessible to the Jenkins master process could be 
downloaded. On other operating systems, any file within the Jenkins home 
directory accessible to the Jenkins master process could be downloaded.


SECURITY-717
Jenkins did not take into account case-insensitive file systems when 
preventing access to plugin resource files that should not be accessible. 
This allowed users with Overall/Read permission to download plugin resource 
files in META-INF and WEB-INF directories, such as the plugins' JAR files, 
which could contain hardcoded secrets.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.