https://bugzilla.redhat.com/show_bug.cgi?id=1418717
Bug ID: 1418717 Summary: CVE-2017-2606 jenkins: Internal API allowed access to item names that should not be visible (SECURITY-380) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: abhgupta@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, kseifried@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, tdawson@redhat.com, tiwillia@redhat.com
The following flaw was found in Jenkins:
The method Jenkins#getItems() included a performance optimization that resulted in all items being returned if the Logged in users can do anything authorization strategy was used, and no access was granted to anonymous users (an option added in Jenkins 2.0). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-...
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/09cfbc9cd5c9df7c763bc976b7f5c512...
https://bugzilla.redhat.com/show_bug.cgi?id=1418717
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jenkins 2.44, jenkins | |2.32.2
https://bugzilla.redhat.com/show_bug.cgi?id=1418717
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1418735 Depends On| |1418736
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1418736 [Bug 1418736] CVE-2017-2598 CVE-2017-2599 CVE-2017-2600 CVE-2017-2601 CVE-2017-2602 CVE-2017-2604 CVE-2017-2605 CVE-2017-2606 CVE-2017-2607 CVE-2017-2608 CVE-2017-2609 CVE-2017-2610 CVE-2017-2611 CVE-2017-2612 CVE-2017-2613 jenkins: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1418717
--- Comment #1 from Andrej Nemec anemec@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1418736]
https://bugzilla.redhat.com/show_bug.cgi?id=1418717
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1395176
https://bugzilla.redhat.com/show_bug.cgi?id=1418717
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0201,reported=20170125,sour |0201,reported=20170125,sour |ce=distros,cvss3=4.3/CVSS:3 |ce=distros,cvss3=4.3/CVSS:3 |.0/AV:N/AC:L/PR:L/UI:N/S:U/ |.0/AV:N/AC:L/PR:L/UI:N/S:U/ |C:L/I:N/A:N,fedora-all/jenk |C:L/I:N/A:N,cwe=CWE-200,fed |ins=affected,openshift-ente |ora-all/jenkins=affected,op |rprise-3/jenkins=new,opensh |enshift-enterprise-3/jenkin |ift-enterprise-2/jenkins=ne |s=new,openshift-enterprise- |w |2/jenkins=new
java-sig-commits@lists.fedoraproject.org