https://bugzilla.redhat.com/show_bug.cgi?id=1501816
Bug ID: 1501816 Summary: jenkins: "Computer" remote API disclosed information about inaccessible jobs (SECURITY-611) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jkeck@redhat.com, kseifried@redhat.com, mizdebsk@redhat.com, msrb@redhat.com
The remote API at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.
External References:
https://jenkins.io/security/advisory/2017-10-11/
https://bugzilla.redhat.com/show_bug.cgi?id=1501816
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1501826
https://bugzilla.redhat.com/show_bug.cgi?id=1501816
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1501970
--- Comment #1 from Kurt Seifried kseifried@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: openshift-1 [bug 1501970]
https://bugzilla.redhat.com/show_bug.cgi?id=1501816
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|jenkins: "Computer" remote |CVE-2017-1000398 jenkins: |API disclosed information |"Computer" remote API |about inaccessible jobs |disclosed information about |(SECURITY-611) |inaccessible jobs | |(SECURITY-611) Alias| |CVE-2017-1000398
https://bugzilla.redhat.com/show_bug.cgi?id=1501816
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ahardin@redhat.com, | |dbaker@redhat.com, | |jokerman@redhat.com, | |mchappel@redhat.com Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |1011,reported=20171011,sour |1011,reported=20171011,sour |ce=internet,cvss3=4.3/CVSS: |ce=internet,cvss3=4.3/CVSS: |3.0/AV:N/AC:L/PR:L/UI:N/S:U |3.0/AV:N/AC:L/PR:L/UI:N/S:U |/C:L/I:N/A:N,cwe=CWE-200,op |/C:L/I:N/A:N,cwe=CWE-200,op |enshift-enterprise-3/jenkin |enshift-enterprise-3/jenkin |s=new,openshift-1/jenkins=a |s=affected,openshift-1/jenk |ffected,fedora-all/jenkins= |ins=affected,fedora-all/jen |affected |kins=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1501816
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1558842, 1558843
--- Comment #2 from Jason Shepherd jshepherd@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1558842]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1558842 [Bug 1558842] CVE-2017-1000398 jenkins: "Computer" remote API disclosed information about inaccessible jobs (SECURITY-611) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1501816
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |1011,reported=20171011,sour |1011,reported=20171011,sour |ce=internet,cvss3=4.3/CVSS: |ce=internet,cvss3=4.3/CVSS: |3.0/AV:N/AC:L/PR:L/UI:N/S:U |3.0/AV:N/AC:L/PR:L/UI:N/S:U |/C:L/I:N/A:N,cwe=CWE-200,op |/C:L/I:N/A:N,cwe=CWE-200,op |enshift-enterprise-3/jenkin |enshift-enterprise-3/jenkin |s=affected,openshift-1/jenk |s=notaffected,openshift-1/j |ins=affected,fedora-all/jen |enkins=notaffected,fedora-a |kins=affected |ll/jenkins=affected
--- Comment #4 from Jason Shepherd jshepherd@redhat.com --- Openshift is now using Jenkins 2.89.2. Marking Enterprise and Online as not affected.
java-sig-commits@lists.fedoraproject.org