https://bugzilla.redhat.com/show_bug.cgi?id=1418713
Bug ID: 1418713 Summary: CVE-2017-2603 jenkins: User data leak in disconnected agents' config.xml API (SECURITY-362) Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: abhgupta@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, kseifried@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, tdawson@redhat.com, tiwillia@redhat.com
The following flaw was found in Jenkins:
Agents that were disconnected by users contained the disconnecting user's User object in serialized form in the config.xml remote API output. This could leak sensitive data such as API tokens.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-...
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/3cd946cbef82c6da5ccccf3890d0ae4e...