Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <077A6F23-B377-4356-8FD7-A21B6AB47148@beckweb.net>
Date: Wed, 14 Feb 2018 16:35:43 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins

Jenkins is an open source automation server which enables developers around 
the world to reliably build, test, and deploy their software. The following 
releases contain fixes for security vulnerabilities:

* Jenkins (weekly) 2.107
* Jenkins (LTS) 2.89.4

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2018-02-14/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you find security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-506
The form validation for the proxy configuration form did not check the 
permission of the user accessing it, allowing anyone with Overall/Read 
access to Jenkins to cause Jenkins to send a GET request to a specified 
URL, optionally with a specified proxy configuration.

If that request’s HTTP response code indicates success, the form validation 
is returning a generic success message, otherwise the HTTP status code is 
returned. It was not possible to reuse an existing proxy configuration to 
send those requests; that configuration had to be provided by the attacker.


SECURITY-705 / CVE-2018-6356
Jenkins did not properly prevent specifying relative paths that escape a 
base directory for URLs accessing plugin resource files. This allowed users 
with Overall/Read permission to download files from the Jenkins master they 
should not have access to.

On Windows, any file accessible to the Jenkins master process could be 
downloaded. On other operating systems, any file within the Jenkins home 
directory accessible to the Jenkins master process could be downloaded.


SECURITY-717
Jenkins did not take into account case-insensitive file systems when 
preventing access to plugin resource files that should not be accessible. 
This allowed users with Overall/Read permission to download plugin resource 
files in META-INF and WEB-INF directories, such as the plugins' JAR files, 
which could contain hardcoded secrets.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.