https://bugzilla.redhat.com/show_bug.cgi?id=1501814
Bug ID: 1501814 Summary: jenkins: "User" remote API disclosed users' email addresses (SECURITY-514) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jkeck@redhat.com, kseifried@redhat.com, mizdebsk@redhat.com, msrb@redhat.com
Information about Jenkins user accounts is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed.
External References:
https://jenkins.io/security/advisory/2017-10-11/
https://bugzilla.redhat.com/show_bug.cgi?id=1501814
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1501826
https://bugzilla.redhat.com/show_bug.cgi?id=1501814
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1501969
--- Comment #1 from Kurt Seifried kseifried@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: openshift-1 [bug 1501969]
https://bugzilla.redhat.com/show_bug.cgi?id=1501814
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|jenkins: "User" remote API |CVE-2017-1000395 jenkins: |disclosed users' email |"User" remote API disclosed |addresses (SECURITY-514) |users' email addresses | |(SECURITY-514) Alias| |CVE-2017-1000395
https://bugzilla.redhat.com/show_bug.cgi?id=1501814
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ahardin@redhat.com, | |dbaker@redhat.com, | |jokerman@redhat.com, | |mchappel@redhat.com Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |1011,reported=20171011,sour |1011,reported=20171011,sour |ce=internet,cvss3=4.3/CVSS: |ce=internet,cvss3=4.3/CVSS: |3.0/AV:N/AC:L/PR:L/UI:N/S:U |3.0/AV:N/AC:L/PR:L/UI:N/S:U |/C:L/I:N/A:N,cwe=CWE-200,op |/C:L/I:N/A:N,cwe=CWE-200,op |enshift-enterprise-3/jenkin |enshift-enterprise-3/jenkin |s=new,openshift-1/jenkins=a |s=affected,openshift-1/jenk |ffected,fedora-all/jenkins= |ins=affected,fedora-all/jen |affected |kins=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1501814
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1558848, 1558849
--- Comment #2 from Jason Shepherd jshepherd@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1558848]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1558848 [Bug 1558848] CVE-2017-1000395 jenkins: "User" remote API disclosed users' email addresses (SECURITY-514) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1501814
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |1011,reported=20171011,sour |1011,reported=20171011,sour |ce=internet,cvss3=4.3/CVSS: |ce=internet,cvss3=4.3/CVSS: |3.0/AV:N/AC:L/PR:L/UI:N/S:U |3.0/AV:N/AC:L/PR:L/UI:N/S:U |/C:L/I:N/A:N,cwe=CWE-200,op |/C:L/I:N/A:N,cwe=CWE-200,op |enshift-enterprise-3/jenkin |enshift-enterprise-3/jenkin |s=affected,openshift-1/jenk |s=notaffected,openshift-1/j |ins=affected,fedora-all/jen |enkins=notaffected,fedora-a |kins=affected |ll/jenkins=affected
--- Comment #4 from Jason Shepherd jshepherd@redhat.com --- Openshift is now using Jenkins 2.89.2. Marking Enterprise and Online as not affected.
java-sig-commits@lists.fedoraproject.org