Bug 1054557 (CVE-2013-6488)

Summary: CVE-2013-6488 jenkins: failure to sanitize input before adding it to the page
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jialiu, lmeyer, ratulg, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-17 05:47:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1054033    

Description Murray McAllister 2014-01-17 03:03:09 UTC 
An instance was found of Jenkins not sanitizing input before adding it to the page. This could be used for copy and paste attacks, with the end result being similar to that of cross-site scripting attacks.

Upstream fix:

https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e

Acknowledgements:

Red Hat would like to thank Teguh P. Alko for reporting this issue.
Comment 2 Murray McAllister 2014-01-17 05:47:36 UTC 
Statement:

Not vulnerable. This issue did not affect the version of Jenkins as shipped with Red Hat OpenShift Enterprise 1.2 or 2.0.
Comment 3 Ratul Gupta 2014-01-21 05:59:21 UTC 
This bug has been marked as duplicate of CVE-2013-0328:
http://seclists.org/oss-sec/2014/q1/130

*** This bug has been marked as a duplicate of bug 914876 ***