Bug 1067799 (CVE-2013-7330)

Summary: CVE-2013-7330 jenkins: configure a project you do not have access to (SECURITY-55)
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jrusnack, lmeyer, mmcgrath, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins 1.551 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-28 22:54:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1033371, 1033372, 1033373    
Bug Blocks: 1065822, 1103334    

Description Murray McAllister 2014-02-21 05:44:21 UTC 
Jenkins Security Advisory 2014-02-14 notes:

"...Under some circimstances, a malicious user of Jenkins can configure job X to trigger another job Y that the user has no access to."

Upstream fix: https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8

SECURITY-109/CVE-2014-2058 was assigned to an incomplete fix for this issue. As such, the following fix should also be applied to avoid becoming vulnerable to CVE-2014-2058: https://github.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e

References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
Comment 1 Vincent Danen 2014-10-17 17:50:25 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7330 to
the following vulnerability:

Name: CVE-2013-7330
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7330
Assigned: 20140220
Reference: http://www.openwall.com/lists/oss-security/2014/02/21/2
Reference: https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8
Reference: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

CloudBees Jenkins before 1.502 allows remote authenticated users to
configure an otherwise restricted project via vectors related to
post-build actions.

Note that a second CVE was assigned as the initial fix was incomplete:

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2058 to
the following vulnerability:

Name: CVE-2014-2058
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2058
Assigned: 20140219
Reference: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

BuildTrigger in CloudBees Jenkins before 1.551 and LTS before 1.532.2
allows remote authenticated users to bypass access restrictions and
execute arbitrary jobs by configuring a job to trigger another job.
NOTE: this vulnerability exists because of an incomplete fix for
CVE-2013-7330.


This second CVE does not apply to us as we have not yet fixed this issue, noting the above for awareness (to ensure we use the full and complete fix).
Comment 2 Kurt Seifried 2014-10-28 22:54:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.1

Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html