https://bugzilla.redhat.com/show_bug.cgi?id=1501817
Bug ID: 1501817 Summary: jenkins: "Queue Item" remote API disclosed information about inaccessible jobs (SECURITY-618) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jkeck@redhat.com, kseifried@redhat.com, mizdebsk@redhat.com, msrb@redhat.com
The remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission.
External References:
https://jenkins.io/security/advisory/2017-10-11/
https://bugzilla.redhat.com/show_bug.cgi?id=1501817
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1501826
https://bugzilla.redhat.com/show_bug.cgi?id=1501817
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1501971
--- Comment #1 from Kurt Seifried kseifried@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: openshift-1 [bug 1501971]
https://bugzilla.redhat.com/show_bug.cgi?id=1501817
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|jenkins: "Queue Item" |CVE-2017-1000399 jenkins: |remote API disclosed |"Queue Item" remote API |information about |disclosed information about |inaccessible jobs |inaccessible jobs |(SECURITY-618) |(SECURITY-618) Alias| |CVE-2017-1000399
https://bugzilla.redhat.com/show_bug.cgi?id=1501817
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ahardin@redhat.com, | |dbaker@redhat.com, | |jokerman@redhat.com, | |mchappel@redhat.com Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |1011,reported=20171011,sour |1011,reported=20171011,sour |ce=internet,cvss3=4.3/CVSS: |ce=internet,cvss3=4.3/CVSS: |3.0/AV:N/AC:L/PR:L/UI:N/S:U |3.0/AV:N/AC:L/PR:L/UI:N/S:U |/C:L/I:N/A:N,cwe=CWE-200,op |/C:L/I:N/A:N,cwe=CWE-200,op |enshift-enterprise-3/jenkin |enshift-enterprise-3/jenkin |s=new,openshift-1/jenkins=a |s=affected,openshift-1/jenk |ffected,fedora-all/jenkins= |ins=affected,fedora-all/jen |affected |kins=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1501817
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1558841, 1558840
--- Comment #2 from Jason Shepherd jshepherd@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1558840]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1558840 [Bug 1558840] CVE-2017-1000399 jenkins: "Queue Item" remote API disclosed information about inaccessible jobs (SECURITY-618) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1501817
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |1011,reported=20171011,sour |1011,reported=20171011,sour |ce=internet,cvss3=4.3/CVSS: |ce=internet,cvss3=4.3/CVSS: |3.0/AV:N/AC:L/PR:L/UI:N/S:U |3.0/AV:N/AC:L/PR:L/UI:N/S:U |/C:L/I:N/A:N,cwe=CWE-200,op |/C:L/I:N/A:N,cwe=CWE-200,op |enshift-enterprise-3/jenkin |enshift-enterprise-3/jenkin |s=affected,openshift-1/jenk |s=notaffected,openshift-1/j |ins=affected,fedora-all/jen |enkins=affected,fedora-all/ |kins=affected |jenkins=affected
--- Comment #4 from Jason Shepherd jshepherd@redhat.com --- Openshift is now using Jenkins 2.89.2. Marking Enterprise and Online as not affected.
java-sig-commits@lists.fedoraproject.org