[FFe] XSS vulnerability in Jenkins
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jenkins (Debian) |
Fix Released
|
Unknown
|
|||
jenkins (Ubuntu) |
Fix Released
|
High
|
James Page | ||
Oneiric |
Won't Fix
|
High
|
James Page | ||
Precise |
Fix Released
|
High
|
James Page |
Bug Description
Rationale:
https:/
This advisory announces a couple of critical security vulnerabilities that were found in Jenkins core.
The first vulnerability is a directory traversal vulnerability. This allows an anonymous attacker to read files in the file system that shouldn't be exposed. This vulnerability affects Jenkins that run on Windows, whether or not the access control in Jenkins is enabled. Those file reads are still subject to OS-level access control, and therefore an attacker will only gain access to files that are readable to the OS user that runs the Jenkins process. This is a vulnerability in the built-in servlet container (named Winstone), and therefore the only affected users are those who are running Jenkins via java -jar jenkins.war (this includes users of the Windows installer.) This vulnerability affects all versions of Jenkins up to and including 1.452, and LTS releases up to and including 1.424.3.
The second vulnerability is a cross-site scripting (XSS) vulnerability, which allows an attacker to inject malicious HTMLs to pages served by Jenkins. This allows an attacker to escalate his privileges by hijacking sessions of other users. This vulnerability affects all versions of Jenkins up to and including 1.452, and LTS releases up to and including 1.424.3, regardless of the security settings.
As Ubuntu is not windows we are only impacted by the second XSS vulnerability.
This will require a new package: owasp-java-
Build Logs: see attached
Install logs: see attached (jenkins build pull in owasp-java-
Testing: I've validated the revised jenkins packages install and function at a basic level, i.e. Jenkins is able to execute some basic jobs.
Changed in jenkins (Ubuntu Precise): | |
assignee: | nobody → James Page (james-page) |
importance: | Undecided → Medium |
Changed in jenkins (Ubuntu Oneiric): | |
importance: | Undecided → Medium |
Changed in jenkins (Ubuntu Precise): | |
status: | New → In Progress |
visibility: | private → public |
description: | updated |
description: | updated |
description: | updated |
Changed in jenkins (Ubuntu Precise): | |
importance: | Medium → High |
Changed in jenkins (Ubuntu Oneiric): | |
importance: | Medium → High |
status: | New → Confirmed |
Changed in jenkins (Ubuntu Precise): | |
milestone: | none → ubuntu-12.04-beta-2 |
Changed in jenkins (Debian): | |
status: | Unknown → Confirmed |
Changed in jenkins (Ubuntu Oneiric): | |
assignee: | nobody → James Page (james-page) |
Changed in jenkins (Debian): | |
status: | Confirmed → Fix Released |
It should be possible to cherry pick the required commits for backporting to the version of Jenkins in Oneiric as well.