| Summary: | CVE-2013-5573 jenkins: default markup formatter permits offsite-bound forms (SECURITY-88) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Ratul Gupta <ratulg> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jrusnack, lmeyer, mmcgrath, vkrizan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1033371, 1033372, 1033373 | ||
| Bug Blocks: | 1044977, 1103334 | ||
This issue has been addressed in the following products: Red Hat OpenShift Enterprise 2.1 Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html This issue has been addressed in the following products: Red Hat OpenShift Enterprise 2.1 Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html Mitigation:
'MyspacePolicy' permits
tag("form", "action", ONSITE_OR_OFFSITE_URL, "method");
Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely.
|
The default installation and configuration of Jenkins CI is prone to a security vulnerability. The Jenkins CI default markup formatter permits offsite-bound forms. This vulnerability could be exploited by a remote attacker (a malicious user) to inject malicious persistent HTML script code (application side). Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily mitigate the flaw by implementing the following workaround: 'MyspacePolicy' permits tag("form", "action", ONSITE_OR_OFFSITE_URL, "method"); Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely. References: http://seclists.org/fulldisclosure/2013/Dec/159