https://bugzilla.redhat.com/show_bug.cgi?id=1418713
Bug ID: 1418713
Summary: CVE-2017-2603 jenkins: User data leak in disconnected
agents' config.xml API (SECURITY-362)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
Agents that were disconnected by users contained the disconnecting user's User
object in serialized form in the config.xml remote API output. This could leak
sensitive data such as API tokens.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/3cd946cbef82c6da5ccccf3890d0a...
--
You are receiving this mail because:
You are on the CC list for the bug.