[Bug 1418707] New: CVE-2017-2601 jenkins: Persisted cross-site scripting vulnerability in parameter names and descriptions (SECURITY-353)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1418707
Bug ID: 1418707
Summary: CVE-2017-2601 jenkins: Persisted cross-site scripting
vulnerability in parameter names and descriptions
(SECURITY-353)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
Users with the permission to configure jobs were able to inject JavaScript into
parameter names and descriptions.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/fd2e081b947124c90bcd97bfc55e1...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 2 months
[Bug 1418703] New: CVE-2017-2600 jenkins: Node monitor data could be viewed by low privilege users (SECURITY-343)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1418703
Bug ID: 1418703
Summary: CVE-2017-2600 jenkins: Node monitor data could be
viewed by low privilege users (SECURITY-343)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
Overall/Read permission was sufficient to access node monitor data via the
remote API. These included system configuration and runtime information of
these nodes.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/0f92cd08a19207de2cceb6a2f4e3e...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 2 months
[Bug 1418698] New: CVE-2017-2599 jenkins: Items could be created with same name as existing item (SECURITY-321)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1418698
Bug ID: 1418698
Summary: CVE-2017-2599 jenkins: Items could be created with
same name as existing item (SECURITY-321)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
An insufficient permission check allowed users with the permission to create
new items (e.g. jobs) to overwrite existing items they don't have access to.
After a Jenkins restart, children of the original item, such as builds, were
then accessible in some circumstances.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/4ed5c850b6855ab064a66d02fb338...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 2 months
[Bug 1418730] New: CVE-2017-2612 jenkins: Low privilege users were able to override JDK download credentials ( SECURITY-392)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1418730
Bug ID: 1418730
Summary: CVE-2017-2612 jenkins: Low privilege users were able
to override JDK download credentials (SECURITY-392)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
Jenkins allows administrators to enter their username and password to the
Oracle download site which provides JDKs for download. Users with read access
to Jenkins were able to override these credentials, resulting in future builds
possibly failing to download a JDK. A permission check has been added.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/b0ed9669bc00dbccf1be6896bb527...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 2 months
[Bug 1418729] New: CVE-2017-2611 jenkins: Insufficient permission check for periodic processes (SECURITY-389)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1418729
Bug ID: 1418729
Summary: CVE-2017-2611 jenkins: Insufficient permission check
for periodic processes (SECURITY-389)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission
checks, allowing users with read access to Jenkins to trigger these background
processes (that are otherwise performed daily), possibly causing additional
load on Jenkins master and agents.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 2 months