jenkins: multiple issues

2015-11-18T00:00:00
ID ASA-201511-11
Type archlinux
Reporter Arch Linux
Modified 2015-11-18T00:00:00

Description

  • CVE-2015-5317 (information leakage)

The Jenkins UI allowed users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages if those shared file fingerprints with fingerprinted files in accessible jobs.

  • CVE-2015-5318 (cross-side request forgery)

The salt used to generate the CSRF protection tokens was a publicly accessible value, allowing malicious users to circumvent CSRF protection by generating the correct token.

  • CVE-2015-5319 (XML external entity injection)

When creating a job using the create-job CLI command, external entities are not discarded (nor processed). If these job configurations are processed by another user with an XML-aware tool (e.g. using get-job/update-job), information from that user's computer may be disclosed to Jenkins and the attacker.

  • CVE-2015-5320 (access restriction bypass)

JNLP slave connections did not verify that the correct secret was supplied, which allowed malicious users to connect their own machines as slaves to Jenkins knowing only the name of the slave. This enables attackers to take over Jenkins (unless the slave-to-master security subsystem is enabled) or gain access to private data like keys and source code.

  • CVE-2015-5321 (information leakage)

The CLI command overview and help pages in Jenkins were accessible without Overall/Read permission, resulting in disclosure of the names of configured slaves (and contents of other sidepanel widgets, if present) to unauthorized users.

  • CVE-2015-5322 (directory traversal)

Access to the /jnlpJars/ URL was not limited to the specific JAR files users needed to access, allowing browsing directories and downloading other files in the Jenkins servlet resources, such as web.xml.

  • CVE-2015-5323 (access restriction bypass)

API tokens of other users were exposed to admins by default. On instances that don't implicitly grant RunScripts permission to admins, this allowed admins to run scripts with another user's credentials.

  • CVE-2015-5324 (information leakage)

The /queue/api URL could return information about items not accessible to the current user (such as parameter names and values, build names, project descriptions).

  • CVE-2015-5325 (access restriction bypass)

Slaves connecting via JNLP were not subject to the optional slave-to-master access control documented at <A HREF="http://jenkins-ci.org/security-144">http://jenkins-ci.org/security-144</A> (CVE-2014-3665).

  • CVE-2015-5326 (cross-side scripting)

Users with the permission to take slave nodes offline can enter arbitrary HTML that gets shown unescaped to users visiting the slave overview page.

  • CVE-2015-8103 (arbitrary code execution)

Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master.