https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Bug ID: 1819198 Summary: CVE-2020-2161 jenkins: XSS in job configuration pages Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: abenaiss@redhat.com, aos-bugs@redhat.com, bmontgom@redhat.com, eparis@redhat.com, extras-orphan@fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jokerman@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, nstielau@redhat.com, pbhattac@redhat.com, sponnaga@redhat.com, vbobade@redhat.com Target Milestone: --- Classification: Other
A vulnerability was found in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.
Reference: http://www.openwall.com/lists/oss-security/2020/03/25/2
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819199
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1819199 [Bug 1819199] CVE-2020-2161 jenkins: XSS in job configuration pages [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
--- Comment #1 from Dhananjay Arunesh darunesh@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1819199]
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1819191
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jenkins LTS 2.204.6, | |jenkins LTS 2.222.1, | |jenkins 2.228
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
--- Comment #2 from Sam Fowler sfowler@redhat.com --- External References:
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819499, 1819508, 1819504
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On|1819504 |
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819501
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On|1819499 |
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819497
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On|1819508 |
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819505
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1820018, 1820017
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
Vikas Laad vlaad@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1873174
https://bugzilla.redhat.com/show_bug.cgi?id=1819198
jawed jkhelil@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877292
https://bugzilla.redhat.com/show_bug.cgi?id=1819198 Bug 1819198 depends on bug 1819199, which changed state.
Bug 1819199 Summary: CVE-2020-2161 jenkins: XSS in job configuration pages [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1819199
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org