Bug#664057: jenkins: XSS security vulnerability
James Page
james.page at ubuntu.com
Thu Mar 15 10:43:58 UTC 2012
Package: jenkins
Version: 1.424.3+dfsg-1
Severity: normal
Tags: upstream
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05
This advisory announces a couple of critical security vulnerabilities
that were found in Jenkins core.
The first vulnerability is a directory traversal vulnerability. This allows
an anonymous attacker to read files in the file system that shouldn't be exposed.
This vulnerability affects Jenkins that run on Windows, whether or not the
access control in Jenkins is enabled. Those file reads are still subject to
OS-level access control, and therefore an attacker will only gain access to files
that are readable to the OS user that runs the Jenkins process. This is a
vulnerability in the built-in servlet container (named Winstone), and therefore
the only affected users are those who are running Jenkins via
java -jar jenkins.war (this includes users of the Windows installer.)
This vulnerability affects all versions of Jenkins up to and including 1.452,
and LTS releases up to and including 1.424.3.
The second vulnerability is a cross-site scripting (XSS) vulnerability,
which allows an attacker to inject malicious HTMLs to pages served by Jenkins.
This allows an attacker to escalate his privileges by hijacking sessions of
other users. This vulnerability affects all versions of Jenkins up to and
including 1.452, and LTS releases up to and including 1.424.3, regardless
of the security settings.
Debian package is only impacted by the second vulnerability and requires a
new package - owasp-java-html-sanitizer (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664055).
This is also being address in Ubuntu which is nearing beta-2 for precise:
https://bugs.launchpad.net/ubuntu/+source/jenkins/+bug/954960
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-18-generic (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPYcfqAAoJEL/srsug59jDdScQAKCBO5Dnxq/lonWKebhswIEt
p+kLi+JvBqRp0xKwpZIu1P235TEOOvKQPfgCAJj/8Uzsi1qB1t28100cYf/SOiZ/
phjpqtJ6tepxkTU4g/MMJb1hgkBpz/Cyit5JM+pZQ35kNWwFpCHf0kwZs51zHJyn
yGT0P0o0xaQkWjBjYnIbGeaklmyTa99YLcnvdt4u5NelIbj/eaBuJ7Y+nCpebjIP
o5V8LECTt2+YD54IoAAOTBwiK31v8/XgIL1D1nxOBMr9Kx5yXOVgzi5qdhrvfydT
tQA1+L/3Pada3rS4YqcEN04FF6m9iDYkzrhSuBOQML6dVIm8L0bCsf1Kp3VM0rMV
2j+fTF8HLqp8GUFmlRsd68DuTW6axZL/xHy5Ohh7vW+AhPcdlxKzNKCwnMA6HfIY
sVDS+fFhDYwLdqWgWw52bmqCO1MfY8mRZgpaxLd7j6PMGGZcchbhQ+/AYnTrU0cr
b0Z7YfyY80BU2rX61MsASwyFgdjuDNEGU+nNDgW1W3y6lJF64cyWAg+2E3kwLl9m
h2/0y/XoXRUWLu73lezl4ZHYSbE4P0x1zu2Xjm+Qjco1L9RmtsShc1YssXfD4OGC
aj7pAOxUSaXj01Q5890odCoIoGm1wCMHrohsJEMVWFIdjQMvKkvKumlHy4zZchmo
SM6YhUpIcTle9zDaVTxo
=tKqK
-----END PGP SIGNATURE-----
More information about the pkg-java-maintainers
mailing list