Bug 1032397 (CVE-2013-6373)

Summary: CVE-2013-6373 Jenkins: lack of access control in Exclusion plugin (SECURITY-53)
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aneelica, bleanhar, ccoleman, djorm, dmcphers, jdetiber, jialiu, lmeyer, security-response-team, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 23:54:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1032405    

Description Kurt Seifried 2013-11-20 05:46:12 UTC 
Kohsuke Kawaguchi reports:

lack of access control in Exclusion plugin 

if an anonymous user views Jenkins, the link to the management function "Exclusion Administration" remains visible in the top left hand corent of the Jenkins main page, and can be clicked.

This was originally reported by mwebbe
Comment 2 Vincent Danen 2013-11-21 19:02:46 UTC 
This is now public:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20
Comment 3 David Jorm 2013-11-21 22:20:44 UTC 
Upstream patch commit:

https://github.com/jenkinsci/exclusion-plugin/commit/847f9aeb407c0f47046d184080c9e2c2e3720311
Comment 4 David Jorm 2013-11-21 23:54:28 UTC 
Statement:

Not affected. This issue did not affect Jenkins as shipped with various Red Hat products, as they do not include the Jenkins Exclusion plugin.