Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 23 Jan 2019 11:21:11 +0100
From: Daniel Beck <>
Subject: Re: Multiple vulnerabilities in Jenkins

> On 10. Oct 2018, at 17:11, Daniel Beck <> wrote:
> A path traversal vulnerability in Stapler allowed viewing routable objects 
> with views defined on any type. This could be used to access internal data 
> of routable objects, e.g. by showing their string representation (#toString).


> Users with Job/Configure permission could specify a relative path escaping 
> the base directory in the file name portion of a file parameter definition. 
> This path would be used to archive the uploaded file on the Jenkins master, 
> resulting in an arbitrary file write vulnerability.
> File parameters that escape the base directory are no longer accepted and 
> the build will fail.


> The wrapper query parameter for the XML variant of the Jenkins remote API 
> did not validate the specified tag name. This resulted in a reflected cross-
> site scripting vulnerability.
> Only legal XML tag names are now allowed for the wrapper query parameter.


> By accessing a specific crafted URL on Jenkins instances using Jenkins' own 
> user database, users without Overall/Read access could create ephemeral 
> user records.
> This behavior could be abused to create a large number of ephemeral user 
> records in memory.
> Accessing this URL now no longer results in a user record getting created.


> When signing up for a new user account on instances using Jenkins' own user 
> database, Jenkins did not invalidate the existing session and create a new 
> one. This allowed session fixation.
> Jenkins now invalidates the existing session and creates a new one when 
> logging in after user signup.


> When Jenkins fails to process form submissions due to an internal error, 
> the error message shown to the user and written to the log typically 
> includes the serialized JSON form submission. Secrets, such as submitted 
> passwords, might be included with the JSON object, and shown or written to 
> disk in plain text.
> Jenkins now masks values in these error messages from view if they were 
> shown on the UI as password form fields.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.