https://bugzilla.redhat.com/show_bug.cgi?id=1797062
Bug ID: 1797062 Summary: CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: abenaiss@redhat.com, adam.kaplan@redhat.com, aos-bugs@redhat.com, bmontgom@redhat.com, eparis@redhat.com, extras-orphan@fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jokerman@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, nstielau@redhat.com, pbhattac@redhat.com, sponnaga@redhat.com, vbobade@redhat.com, wzheng@redhat.com Target Milestone: --- Classification: Other
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
References:
https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1695 https://www.openwall.com/lists/oss-security/2020/01/29/1
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1797063
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1797063 [Bug 1797063] CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1797063]
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1797089
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1797143
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1797144
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1797146
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
--- Comment #4 from Sam Fowler sfowler@redhat.com --- "Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."
https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-...
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
--- Comment #5 from Akram Ben Aissi abenaiss@redhat.com --- This bug has been fixed by https://errata.devel.redhat.com/advisory/50532 that brought Jenkins 2.204.2
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
Akram Ben Aissi abenaiss@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1813070
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
Vikas Laad vlaad@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1873172
https://bugzilla.redhat.com/show_bug.cgi?id=1797062 Bug 1797062 depends on bug 1797063, which changed state.
Bug 1797063 Summary: CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1797063
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1797062
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |ERRATA Status|NEW |CLOSED Last Closed| |2021-10-28 00:39:51
java-sig-commits@lists.fedoraproject.org