https://bugzilla.redhat.com/show_bug.cgi?id=1857427
Bug ID: 1857427 Summary: CVE-2020-2221 jenkins: Stored XSS vulnerability in upstream cause Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: abenaiss@redhat.com, aos-bugs@redhat.com, bmontgom@redhat.com, eparis@redhat.com, extras-orphan@fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jokerman@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, nstielau@redhat.com, pbhattac@redhat.com, sponnaga@redhat.com, vbobade@redhat.com Target Milestone: --- Classification: Other
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job’s display name shown as part of a build cause. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.
References:
https://www.jenkins.io/security/advisory/2020-07-15/
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1857428 Fixed In Version| |jenkins 2.245
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1857428]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1857428 [Bug 1857428] CVE-2020-2221 jenkins: Stored XSS vulnerability in upstream cause [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1857443
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1857552, 1857548, 1857551, | |1857549, 1857550
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in Jenkins versions 2.244 and prior and in LTS 2.235.1 and prior. The upstream job's display name is not escaped on build time trend pages which could lead to a stored cross-site scripting (XSS) vulnerability. The user must have the Agent/Configure permission for this exploit to function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
--- Comment #3 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.5
Via RHSA-2020:3519 https://access.redhat.com/errata/RHSA-2020:3519
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3519
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-08-24 15:15:26
--- Comment #4 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-2221
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
--- Comment #5 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2020:3541 https://access.redhat.com/errata/RHSA-2020:3541
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3541
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
Vikas Laad vlaad@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1873181
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
--- Comment #8 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.3
Via RHSA-2020:3808 https://access.redhat.com/errata/RHSA-2020:3808
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3808
https://bugzilla.redhat.com/show_bug.cgi?id=1857427
jawed jkhelil@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877292
https://bugzilla.redhat.com/show_bug.cgi?id=1857427 Bug 1857427 depends on bug 1857428, which changed state.
Bug 1857428 Summary: CVE-2020-2221 jenkins: Stored XSS vulnerability in upstream cause [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1857428
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org