https://bugzilla.redhat.com/show_bug.cgi?id=1335416
Bug ID: 1335416
Summary: CVE-2016-3722 jenkins: Malicious users with multiple
user accounts can prevent other users from logging in
(SECURITY-243)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kseifried(a)redhat.com, lmeyer(a)redhat.com,
mizdebsk(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com, tdawson(a)redhat.com,
tiwillia(a)redhat.com
The following flaw was found in Jenkins:
By changing the freely editable 'full name', malicious users with multiple user
accounts could prevent other users from logging in, as 'full name' was resolved
before actual user name to determine which account is currently trying to log
in.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.