https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Bug ID: 1819211 Summary: CVE-2020-2162 jenkins: Content-Security-Policy headers for files uploaded leads to XSS Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: abenaiss@redhat.com, aos-bugs@redhat.com, bmontgom@redhat.com, eparis@redhat.com, extras-orphan@fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jokerman@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, nstielau@redhat.com, pbhattac@redhat.com, sponnaga@redhat.com, vbobade@redhat.com Target Milestone: --- Classification: Other
A vulnerability was found in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
Reference: http://www.openwall.com/lists/oss-security/2020/03/25/2
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819217
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1819217 [Bug 1819217] CVE-2020-2162 jenkins: Content-Security-Policy headers for files uploaded leads to XSS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819217 Blocks| |1819191
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1819217 [Bug 1819217] CVE-2020-2162 jenkins: Content-Security-Policy headers for files uploaded leads to XSS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
--- Comment #1 from Dhananjay Arunesh darunesh@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1819217]
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jenkins LTS 2.204.6, | |jenkins LTS 2.222.1, | |jenkins 2.228
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
--- Comment #2 from Sam Fowler sfowler@redhat.com --- External References:
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1793
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819498, 1819506, 1819502
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On|1819502 |
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819501
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On|1819498 |
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819497
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On|1819506 |
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1819505
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1820018, 1820017
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
Vikas Laad vlaad@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1873174
https://bugzilla.redhat.com/show_bug.cgi?id=1819211
jawed jkhelil@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877292
https://bugzilla.redhat.com/show_bug.cgi?id=1819211 Bug 1819211 depends on bug 1819217, which changed state.
Bug 1819217 Summary: CVE-2020-2162 jenkins: Content-Security-Policy headers for files uploaded leads to XSS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1819217
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org