New subject: [Bug 1282366] CVE-2015-5323 jenkins: API tokens of other users available to admins (SECURITY-200)

16 Nov 2015


      https://bugzilla.redhat.com/show_bug.cgi?id=1282366
Bug ID: 1282366
           Summary: CVE-2015-5323 jenkins: API tokens of other users
                    available to admins (SECURITY-200)
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team@redhat.com
          Reporter: mprpic@redhat.com
                CC: bleanhar@redhat.com, ccoleman@redhat.com,
                    dmcphers@redhat.com,
                    java-sig-commits@lists.fedoraproject.org,
                    jdetiber@redhat.com, jialiu@redhat.com,
                    jkeck@redhat.com, joelsmith@redhat.com,
                    jokerman@redhat.com, kseifried@redhat.com,
                    lmeyer@redhat.com, mizdebsk@redhat.com,
                    mmccomas@redhat.com, msrb@redhat.com
The following flaw was found in Jenkins:
API tokens of other users were exposed to admins by default. On instances that
don't implicitly grant RunScripts permission to admins, this allowed admins to
run scripts with another user's credentials.
In very specific circumstances, it allows admins to gain permissions they would
not otherwise have.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-...
-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=ZqXJZdyVqX&a=cc_unsubscribe

[Bug 1282366] New: CVE-2015-5323 jenkins: API tokens of other users available to admins (SECURITY-200)