Multiple security issues in Jenkins
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| jenkins (Debian) |
Fix Released
|
Unknown
|
|||
| jenkins (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
| Precise |
Won't Fix
|
High
|
Unassigned | ||
| Raring |
Fix Released
|
High
|
Unassigned | ||
| jenkins-winstone (Debian) |
Fix Released
|
Unknown
|
|||
| jenkins-winstone (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
| Precise |
Won't Fix
|
High
|
Unassigned | ||
| Raring |
Fix Released
|
High
|
Unassigned | ||
Bug Description
https:/
Description
The first vulnerability is commonly known as HTTP response splitting vulnerability, which can act as a cross-site scripting vulnerability. This allows an anonymous attacker to inject malicious HTMLs to pages served by Jenkins. This in turn allows an attacker to escalate his privileges by hijacking sessions of other users. To mount this attack, the attacker needs to know the exact URL of your Jenkins installation. This vulnerability affects those who run Jenkins on its built-in servlet container (this includes all the native packages.)
The second vulnerability is so-called open redirect vulnerability. This allows an anonymous attacker to create an URL that looks as if it's pointing to Jenkins, yet it actually lands on the site that the attacker controls. This can be therefore used as a basis for phishing.
The third vulnerability is a cross-site scripting vulnerability that allows an attacker with some degree of write access in Jenkins to embed malicious JavaScript into pages generated by Jenkins.
These vulnerabilities are discovered by Soroush Dalili, and we'd like to thank him.
Severity
These combined vulnerabilities are rated as high, as they allow malicious users to gain unauthorized access to the information and impersonate the administrator of the system. On the other hands, this attack can be only mounted passively, and the attacker needs to know the URL of your Jenkins installations.
Fix
Main line users should upgrade to Jenkins 1.491
LTS users should upgrade to 1.480.1
All the prior versions are affected by these vulnerabilities.
| James Page (james-page) wrote | #1 |
| information type: | Public → Public Security |
| Changed in jenkins (Ubuntu Oneiric): | |
| importance: | Undecided → High |
| Changed in jenkins (Ubuntu Precise): | |
| importance: | Undecided → High |
| Changed in jenkins-winstone (Ubuntu Raring): | |
| importance: | Undecided → High |
| status: | New → Fix Released |
| Changed in jenkins-winstone (Ubuntu Quantal): | |
| importance: | Undecided → High |
| Changed in jenkins-winstone (Ubuntu Precise): | |
| importance: | Undecided → High |
| Changed in jenkins-winstone (Ubuntu Oneiric): | |
| importance: | Undecided → High |
| Changed in jenkins (Ubuntu Raring): | |
| importance: | Undecided → High |
| Changed in jenkins (Ubuntu Quantal): | |
| importance: | Undecided → High |
| Changed in jenkins (Debian): | |
| status: | Unknown → Fix Released |
| Changed in jenkins-winstone (Debian): | |
| status: | Unknown → Fix Released |
| Changed in jenkins (Ubuntu Raring): | |
| status: | New → Fix Released |
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in jenkins-winstone (Ubuntu Oneiric): | |
| status: | New → Won't Fix |
| Jamie Strandboge (jdstrand) wrote | #3 |
| Changed in jenkins (Ubuntu Oneiric): | |
| status: | New → Won't Fix |
| no longer affects: | jenkins-winstone (Ubuntu Oneiric) |
| no longer affects: | jenkins-winstone (Ubuntu Quantal) |
| no longer affects: | jenkins (Ubuntu Oneiric) |
| no longer affects: | jenkins (Ubuntu Quantal) |
| Steve Langasek (vorlon) wrote | #4 |
| Changed in jenkins (Ubuntu Precise): | |
| status: | New → Won't Fix |
| Changed in jenkins-winstone (Ubuntu Precise): | |
| status: | New → Won't Fix |
Fixed with latest sync from Debian experimental