https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Bug ID: 1730877 Summary: CVE-2019-10353 jenkins: CSRF protection tokens did not expire (SECURITY-626) Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190717,reported=20190717,sou rce=internet,cvss3=7.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S: U/C:H/I:H/A:L,cwe=CWE-352,openshift-enterprise-3.6/jen kins=new,openshift-enterprise-3.7/jenkins=new,openshif t-enterprise-3.9/jenkins=new,openshift-enterprise-3.10 /jenkins=new,openshift-enterprise-3.11/jenkins=new,ope nshift-enterprise-4.1/jenkins=new,fedora-all/jenkins=a ffected Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: lpardo@redhat.com CC: abenaiss@redhat.com, adam.kaplan@redhat.com, ahardin@redhat.com, aos-bugs@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, eparis@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jokerman@redhat.com, mchappel@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, vbobade@redhat.com, wzheng@redhat.com Target Milestone: --- Classification: Other
A vulnerability was found in Jenkins versions weekly before 2.186 and LTS before 2.176.2. By default, CSRF tokens in Jenkins only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for another user to implement CSRF attacks as long as the victim’s IP address remained unchanged.
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
--- Comment #1 from Laura Pardo lpardo@redhat.com --- External References:
https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1730878
--- Comment #2 from Laura Pardo lpardo@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1730878]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1730878 [Bug 1730878] CVE-2019-10353 jenkins: CSRF protection tokens did not expire (SECURITY-626) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |90717,reported=20190717,sou |90717,reported=20190717,sou |rce=internet,cvss3=7.1/CVSS |rce=internet,cvss3=7.1/CVSS |:3.0/AV:N/AC:H/PR:N/UI:R/S: |:3.0/AV:N/AC:H/PR:N/UI:R/S: |U/C:H/I:H/A:L,cwe=CWE-352,o |U/C:H/I:H/A:L,cwe=CWE-352,o |penshift-enterprise-3.6/jen |penshift-enterprise-3.6/jen |kins=new,openshift-enterpri |kins=new,openshift-enterpri |se-3.7/jenkins=new,openshif |se-3.7/jenkins=new,openshif |t-enterprise-3.9/jenkins=ne |t-enterprise-3.9/jenkins=ne |w,openshift-enterprise-3.10 |w,openshift-enterprise-3.10 |/jenkins=new,openshift-ente |/jenkins=new,openshift-ente |rprise-3.11/jenkins=new,ope |rprise-3.11/jenkins=new,ope |nshift-enterprise-4.1/jenki |nshift-enterprise-4.1/jenki |ns=new,fedora-all/jenkins=a |ns=affected,fedora-all/jenk |ffected |ins=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1730879
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1731021
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |90717,reported=20190717,sou |90717,reported=20190717,sou |rce=internet,cvss3=7.1/CVSS |rce=internet,cvss3=7.1/CVSS |:3.0/AV:N/AC:H/PR:N/UI:R/S: |:3.0/AV:N/AC:H/PR:N/UI:R/S: |U/C:H/I:H/A:L,cwe=CWE-352,o |U/C:H/I:H/A:L,cwe=CWE-352,o |penshift-enterprise-3.6/jen |penshift-enterprise-3.6/jen |kins=new,openshift-enterpri |kins=new,openshift-enterpri |se-3.7/jenkins=new,openshif |se-3.7/jenkins=new,openshif |t-enterprise-3.9/jenkins=ne |t-enterprise-3.9/jenkins=ne |w,openshift-enterprise-3.10 |w,openshift-enterprise-3.10 |/jenkins=new,openshift-ente |/jenkins=new,openshift-ente |rprise-3.11/jenkins=new,ope |rprise-3.11/jenkins=affecte |nshift-enterprise-4.1/jenki |d,openshift-enterprise-4.1/ |ns=affected,fedora-all/jenk |jenkins=affected,fedora-all |ins=affected |/jenkins=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1731024
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |90717,reported=20190717,sou |90717,reported=20190717,sou |rce=internet,cvss3=7.1/CVSS |rce=internet,cvss3=7.1/CVSS |:3.0/AV:N/AC:H/PR:N/UI:R/S: |:3.0/AV:N/AC:H/PR:N/UI:R/S: |U/C:H/I:H/A:L,cwe=CWE-352,o |U/C:H/I:H/A:L,cwe=CWE-352,o |penshift-enterprise-3.6/jen |penshift-enterprise-3.6/jen |kins=new,openshift-enterpri |kins=wontfix,openshift-ente |se-3.7/jenkins=new,openshif |rprise-3.7/jenkins=wontfix, |t-enterprise-3.9/jenkins=ne |openshift-enterprise-3.9/je |w,openshift-enterprise-3.10 |nkins=wontfix,openshift-ent |/jenkins=new,openshift-ente |erprise-3.10/jenkins=wontfi |rprise-3.11/jenkins=affecte |x,openshift-enterprise-3.11 |d,openshift-enterprise-4.1/ |/jenkins=affected,openshift |jenkins=affected,fedora-all |-enterprise-4.1/jenkins=aff |/jenkins=affected |ected,fedora-all/jenkins=af | |fected
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
--- Comment #5 from Sam Fowler sfowler@redhat.com --- "Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."
https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-...
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Akram Ben Aissi abenaiss@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1731034
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |90717,reported=20190717,sou |90717,reported=20190717,sou |rce=internet,cvss3=7.1/CVSS |rce=internet,cvss3=7.1/CVSS |:3.0/AV:N/AC:H/PR:N/UI:R/S: |:3.0/AV:N/AC:H/PR:N/UI:R/S: |U/C:H/I:H/A:L,cwe=CWE-352,o |U/C:H/I:H/A:L,cwe=CWE-352,o |penshift-enterprise-3.6/jen |penshift-enterprise-3.6/jen |kins=wontfix,openshift-ente |kins=wontfix,openshift-ente |rprise-3.7/jenkins=wontfix, |rprise-3.7/jenkins=wontfix, |openshift-enterprise-3.9/je |openshift-enterprise-3.9/je |nkins=wontfix,openshift-ent |nkins=wontfix,openshift-ent |erprise-3.10/jenkins=wontfi |erprise-3.10/jenkins=wontfi |x,openshift-enterprise-3.11 |x,openshift-enterprise-3.11 |/jenkins=affected,openshift |/jenkins=affected,openshift |-enterprise-4.1/jenkins=aff |-enterprise-4.1/jenkins=aff |ected,fedora-all/jenkins=af |ected,fedora-all/jenkins=af |fected |fected,openshift-4.2/jenkin | |s=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
--- Comment #6 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2019:2503 https://access.redhat.com/errata/RHSA-2019:2503
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2019:2503
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2019-08-15 14:47:07
--- Comment #7 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-10353
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
--- Comment #8 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.1
Via RHSA-2019:2548 https://access.redhat.com/errata/RHSA-2019:2548
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2019:2548
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in Jenkins in weekly versions prior to 2.186 and LTS versions prior to 2.176.2. By default, CSRF tokens in Jenkins only checked user authentication and IP address which allowed attackers able to obtain a CSRF token for another user. This allowed an attacker to implement CSRF attacks as long as the victim’s IP address remained unchanged. The highest threat from this vulnerability is to data confidentiality and integrity.
https://bugzilla.redhat.com/show_bug.cgi?id=1730877 Bug 1730877 depends on bug 1730878, which changed state.
Bug 1730878 Summary: CVE-2019-10353 jenkins: CSRF protection tokens did not expire (SECURITY-626) [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1730878
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org