https://bugzilla.redhat.com/show_bug.cgi?id=1335416
Bug ID: 1335416 Summary: CVE-2016-3722 jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243) Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: abhgupta@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jialiu@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, jokerman@redhat.com, kseifried@redhat.com, lmeyer@redhat.com, mizdebsk@redhat.com, mmccomas@redhat.com, msrb@redhat.com, tdawson@redhat.com, tiwillia@redhat.com
The following flaw was found in Jenkins:
By changing the freely editable 'full name', malicious users with multiple user accounts could prevent other users from logging in, as 'full name' was resolved before actual user name to determine which account is currently trying to log in.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-...
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1335425
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1335427
--- Comment #1 from Andrej Nemec anemec@redhat.com ---
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1335427]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1335427 [Bug 1335427] CVE-2016-3721 CVE-2016-3722 CVE-2016-3723 CVE-2016-3724 CVE-2016-3725 CVE-2016-3726 CVE-2016-3727 jenkins: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20160511, |impact=low,public=20160511, |reported=20160511,source=in |reported=20160511,source=in |ternet,cvss2=2.6/AV:N/AC:H/ |ternet,cvss2=2.3/AV:A/AC:M/ |Au:N/C:N/I:N/A:P,openshift- |Au:S/C:N/I:N/A:P,openshift- |enterprise-3/jenkins=affect |enterprise-3/jenkins=affect |ed,openshift-enterprise-2/j |ed,openshift-enterprise-2/j |enkins=affected,openshift-1 |enkins=affected,openshift-1 |/jenkins=affected,fedora-al |/jenkins=affected,fedora-al |l/jenkins=affected |l/jenkins=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20160511, |impact=low,public=20160511, |reported=20160511,source=in |reported=20160511,source=in |ternet,cvss2=2.3/AV:A/AC:M/ |ternet,cvss2=3.5/AV:N/AC:M/ |Au:S/C:N/I:N/A:P,openshift- |Au:S/C:N/I:N/A:P,openshift- |enterprise-3/jenkins=affect |enterprise-3/jenkins=affect |ed,openshift-enterprise-2/j |ed,openshift-enterprise-2/j |enkins=affected,openshift-1 |enkins=affected,openshift-1 |/jenkins=affected,fedora-al |/jenkins=affected,fedora-al |l/jenkins=affected |l/jenkins=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- jenkins-1.651.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1335416 Bug 1335416 depends on bug 1335427, which changed state.
Bug 1335427 Summary: CVE-2016-3721 CVE-2016-3722 CVE-2016-3723 CVE-2016-3724 CVE-2016-3725 CVE-2016-3726 CVE-2016-3727 jenkins: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1335427
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- jenkins-1.625.3-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- jenkins-1.609.3-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
--- Comment #5 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 3.2 Red Hat OpenShift Enterprise 3.1
Via RHSA-2016:1206 https://access.redhat.com/errata/RHSA-2016:1206
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2016-06-06 15:13:53
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1349611
https://bugzilla.redhat.com/show_bug.cgi?id=1335416
--- Comment #7 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 2.2
Via RHSA-2016:1773 https://rhn.redhat.com/errata/RHSA-2016-1773.html
java-sig-commits@lists.fedoraproject.org