Bug 1258515

Summary: jenkins: CSFR vulnerability allowing remote attacker to hijack authentication
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, java-sig-commits, jdetiber, jialiu, jkeck, joelsmith, jokerman, kseifried, lmeyer, logans, mizdebsk, mmccomas, msrb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-13 09:15:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1258520, 1258522, 1258523    
Bug Blocks: 1258518    

Description Adam Mariš 2015-08-31 14:23:16 UTC 
CSFR vulnerability in Jenkins 1.626 was found, allowing remote attackers to hijack the authentication of users for most requests. It can be exploited to change specific settings or execute code.

Report (includes reproducers):

http://seclists.org/bugtraq/2015/Aug/161
Comment 2 Adam Mariš 2015-08-31 14:29:09 UTC 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1258522]
Comment 3 Adam Mariš 2015-08-31 14:29:12 UTC 
Created python-jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1258523]
Comment 6 Adam Mariš 2015-10-13 09:15:00 UTC 
You're right! CSFR protection mitigates these attacks and according to upstream https://issues.jenkins-ci.org/browse/SECURITY-199 , this is not a bug. Closing as not a bug.