Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 12 May 2016 00:30:08 +0200
From: Daniel Beck <>
Subject: Jenkins - multiple fixes

The Jenkins project published new releases today with fixes for multiple
vulnerabilities. Users should upgrade to Jenkins 2.3 or Jenkins 1.651.2:

Summary and description of the vulnerabilities are below. Some more 
details, severity, and attribution can be found here:

We provide advance notification for security updates on this mailing

If you find security vulnerabilities in Jenkins, please report them as
described here:


SECURITY-170 / CVE-2016-3721: Arbitrary build parameters are passed to 
build scripts as environment variables

Build parameters in Jenkins typically are passed to build scripts as 
environment variables. Some plugins allow passing arbitrary (undeclared)
parameters. Depending on access permissions and installed plugins, 
malicious users were able to trigger builds, passing arbitrary 
environment variables (e.g. PATH) to modify the behavior of those builds.

SECURITY-243 / CVE-2016-3722: Malicious users with multiple user 
accounts can prevent other users from logging in

By changing the freely editable 'full name', malicious users with
multiple user accounts could prevent other users from logging in, as 
'full name' was resolved before actual user name to determine which 
account is currently trying to log in.

SECURITY-250 / CVE-2016-3723: Information on installed plugins exposed 
via API

The XML/JSON API endpoints providing information about installed plugins
were missing permissions checks, allowing any user with read access to
Jenkins to determine which plugins and versions were installed.

SECURITY-266 / CVE-2016-3724: Encrypted secrets (e.g. passwords) were
leaked to users with permission to read configuration

Users with extended read access could access encrypted secrets stored
directly in the configuration of those items.

SECURITY-273 / CVE-2016-3725: Regular users can trigger download of
update site metadata

A missing permissions check allowed any user with access to Jenkins 
to trigger an update of update site metadata. This could be combined
with DNS cache poisoning to disrupt Jenkins service.

SECURITY-276 / CVE-2016-3726: Open redirect to scheme-relative URLs

Some Jenkins URLs did not properly validate the redirect URLs, which
allowed malicious users to create URLs that redirect users to arbitrary
scheme-relative URLs.

SECURITY-281 / CVE-2016-3727: Granting the permission to read node
configurations allows access to overall system configuration

The API URL /computer/(master)/api/xml allowed users with the 'extended
read' permission for the master node to see some global Jenkins
configuration, including the configuration of the security realm.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.