Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 10 Dec 2018 01:52:09 +0100
From: Daniel Beck <>
Subject: Re: Multiple vulnerabilities in Jenkins

> On 15. Aug 2018, at 17:10, Daniel Beck <> wrote:
> Jenkins allowed deserialization of URL objects via Remoting (agent 
> communication) and XStream.
> This could in rare cases be used by attackers to have Jenkins look up 
> specified hosts' DNS records.


> When attempting to authenticate using API token, an ephemeral user record 
> was created to validate the token in case an external security realm was 
> used, and the user record in Jenkins not previously saved, as (legacy) API 
> tokens could exist without a persisted user record.
> This behavior could be abused to create a large number of ephemeral user 
> records in memory.


> The form validation for cron expressions (e.g. "Poll SCM", "Build 
> periodically") could enter infinite loops when cron expressions only 
> matching certain rare dates were entered, blocking request handling 
> threads indefinitely.


> The "Remember me" feature can be disabled in the Jenkins security 
> configuration.
> This did not disable the processing of previously set "Remember me" 
> cookies, so they still allowed users to be logged in.


> Users with Overall/Read permission were able to access the URL serving 
> agent logs on the UI due to a lack of permission checks.


> Users with Overall/Read permission were able to access the URL used to 
> cancel scheduled restart jobs initiated via the update center ("Restart 
> Jenkins when installation is complete and no jobs are running") due to a 
> lack of permission checks.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.