https://bugzilla.redhat.com/show_bug.cgi?id=1258515
Bug ID: 1258515 Summary: jenkins: CSFR vulnerability allowing remote attacker to hijack authentication Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: bleanhar@redhat.com, ccoleman@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jdetiber@redhat.com, jialiu@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, jokerman@redhat.com, kseifried@redhat.com, lmeyer@redhat.com, logans@cottsay.net, mizdebsk@redhat.com, mmccomas@redhat.com, msrb@redhat.com
CSFR vulnerability in Jenkins 1.626 was found, allowing remote attackers to hijack the authentication of users for most requests. It can be exploited to change change specific settings or execute code.
Report (includes reproducers):
http://seclists.org/bugtraq/2015/Aug/161
https://bugzilla.redhat.com/show_bug.cgi?id=1258515
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1258518
https://bugzilla.redhat.com/show_bug.cgi?id=1258515
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1258520 Depends On| |1258522 Depends On| |1258523
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1258522 [Bug 1258522] jenkins: CSFR vulnerability allowing remote attacker to hijack authentication [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1258523 [Bug 1258523] python-jenkins: jenkins: CSFR vulnerability allowing remote attacker to hijack authentication [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1258515
--- Comment #2 from Adam Mariš amaris@redhat.com ---
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1258522]
https://bugzilla.redhat.com/show_bug.cgi?id=1258515
--- Comment #3 from Adam Mariš amaris@redhat.com ---
Created python-jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1258523]
https://bugzilla.redhat.com/show_bug.cgi?id=1258515
Michal Srb msrb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |amaris@redhat.com Flags| |needinfo?(amaris@redhat.com | |)
https://bugzilla.redhat.com/show_bug.cgi?id=1258515
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG Flags|needinfo?(amaris@redhat.com | |) | Last Closed| |2015-10-13 05:15:00
--- Comment #6 from Adam Mariš amaris@redhat.com --- You're right! CSFR protection mitigates these attacks and according to upstream https://issues.jenkins-ci.org/browse/SECURITY-199 , this is not a bug. Closing as not a bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1258515 Bug 1258515 depends on bug 1258522, which changed state.
Bug 1258522 Summary: jenkins: CSFR vulnerability allowing remote attacker to hijack authentication [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1258522
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1258515 Bug 1258515 depends on bug 1258523, which changed state.
Bug 1258523 Summary: python-jenkins: jenkins: CSFR vulnerability allowing remote attacker to hijack authentication [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1258523
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
java-sig-commits@lists.fedoraproject.org