5:53 a.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
Bug ID: 1205625
Summary: CVE-2015-1809 jenkins: external entity injection via
XPath (SECURITY-165)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: vkaigoro(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jdetiber(a)redhat.com, jialiu(a)redhat.com,
jkeck(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com
This vulnerability allows users with the read access to Jenkins to retrieve
arbitrary XML document on the server, resulting in the exposure of sensitive
information inside/outside Jenkins.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=hLJy24Ki14&a=cc_unsubscribe
6:03 a.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1205634
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=YFbQxGquAH&a=cc_unsubscribe
6:07 a.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1205637
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1205637
[Bug 1205637] CVE-2015-1806 CVE-2015-1807 CVE-2015-1813 CVE-2015-1812
CVE-2015-1808 CVE-2015-1814 jenkins: various flaws [fedora-all]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=FVcSwS3zfF&a=cc_unsubscribe
6:07 a.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
Vasyl Kaigorodov <vkaigoro(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1205638
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=Nn69osIsmJ&a=cc_unsubscribe
6:07 a.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
--- Comment #2 from Vasyl Kaigorodov <vkaigoro(a)redhat.com> ---
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1205637]
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=SWAqTLXGJ2&a=cc_unsubscribe
4:43 a.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
Bug 1205625 depends on bug 1205637, which changed state.
Bug 1205637 Summary: CVE-2015-1806 CVE-2015-1807 CVE-2015-1813 CVE-2015-1812 CVE-2015-1811
CVE-2015-1810 CVE-2015-1808 CVE-2015-1809 CVE-2015-1814 jenkins: various flaws
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1205637
What |Removed |Added
----------------------------------------------------------------------------
Status|ON_QA |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=AOefgehDrc&a=cc_unsubscribe
4:44 a.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
--- Comment #3 from Fedora Update System <updates(a)fedoraproject.org> ---
jenkins-1.590-3.fc21 has been pushed to the Fedora 21 stable repository. If
problems still persist, please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=UhDYwpQpbT&a=cc_unsubscribe
2:08 p.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
--- Comment #4 from Fedora Update System <updates(a)fedoraproject.org> ---
jenkins-1.606-1.fc22, jffi-1.2.7-5.fc22, jenkins-executable-war-1.29-4.fc22 has
been pushed to the Fedora 22 stable repository. If problems still persist,
please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=Yxjz2BL6Go&a=cc_unsubscribe
2:57 p.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1248781
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=iEpN5JLDSr&a=cc_unsubscribe
9:36 p.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
--- Doc Text *updated* by Kurt Seifried <kseifried(a)redhat.com> ---
It was found that Jenkins XPath handling allows XML External Entity (XXE) expansion. A
remote attacker with read access could use this flaw to read arbitrary XML files on the
Jenkins server.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=AnZQi3pqh8&a=cc_unsubscribe
2:41 a.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
--- Doc Text *updated* by Martin Prpic <mprpic(a)redhat.com> ---
It was found that Jenkins' XPath handling allowed XML External Entity (XXE) expansion.
A remote attacker with read access could use this flaw to read arbitrary XML files on the
Jenkins server.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=JdcSRwUvWM&a=cc_unsubscribe
6:26 p.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=moderate,public=2015 |impact=moderate,public=2015
|0227,reported=20150325,sour |0227,reported=20150325,sour
|ce=internet,cvss2=4.3/AV:N/ |ce=internet,cvss2=4.3/AV:N/
|AC:M/Au:N/C:P/I:N/A:N,fedor |AC:M/Au:N/C:P/I:N/A:N,cwe=C
|a-all/jenkins=affected,open |WE-611,fedora-all/jenkins=a
|shift-enterprise-2/jenkins= |ffected,openshift-enterpris
|affected,openshift-1/jenkin |e-2/jenkins=affected,opensh
|s=affected |ift-1/jenkins=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=8jkYNDyZRr&a=cc_unsubscribe
_______________________________________________
java-sig-commits mailing list
java-sig-commits(a)lists.fedoraproject.org
http://lists.fedoraproject.org/postorius/java-sig-commits@lists.fedorapro...
11:37 a.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
--- Comment #7 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
This issue has been addressed in the following products:
RHEL 6 Version of OpenShift Enterprise 2.2
Via RHSA-2015:1844 https://rhn.redhat.com/errata/RHSA-2015-1844.html
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=3QAriqz7ZI&a=cc_unsubscribe
11:43 a.m.
New subject: [Bug 1205625] CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
https://bugzilla.redhat.com/show_bug.cgi?id=1205625
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |ERRATA
Last Closed| |2015-09-30 12:43:19
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=p2lE3eWw3O&a=cc_unsubscribe
3169
days inactive
3358
days old
java-sig-commits@lists.fedoraproject.org
13 comments
1 participants
participants (1)
-
Red Hat Bugzilla