New subject: [Bug 1282367] CVE-2015-5324 jenkins: Queue API did show items not visible to the current user (SECURITY-186)

16 Nov 2015


      https://bugzilla.redhat.com/show_bug.cgi?id=1282367
Bug ID: 1282367
           Summary: CVE-2015-5324 jenkins: Queue API did show items not
                    visible to the current user (SECURITY-186)
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team@redhat.com
          Reporter: mprpic@redhat.com
                CC: bleanhar@redhat.com, ccoleman@redhat.com,
                    dmcphers@redhat.com,
                    java-sig-commits@lists.fedoraproject.org,
                    jdetiber@redhat.com, jialiu@redhat.com,
                    jkeck@redhat.com, joelsmith@redhat.com,
                    jokerman@redhat.com, kseifried@redhat.com,
                    lmeyer@redhat.com, mizdebsk@redhat.com,
                    mmccomas@redhat.com, msrb@redhat.com
The following flaw was found in Jenkins:
The /queue/api URL could return information about items not accessible to the
current user (such as parameter names and values, build names, project
descriptions, ...).
Low privileged users can gain some limited information about items they should
not have access to.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-...
-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=43JguXYsQ1&a=cc_unsubscribe

[Bug 1282367] New: CVE-2015-5324 jenkins: Queue API did show items not visible to the current user (SECURITY-186)