Bug 1566947 (CVE-2018-1000169)

Summary: CVE-2018-1000169 jenkins: CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission (SECURITY-754)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahardin, bleanhar, ccoleman, dedgar, dmcphers, java-sig-commits, jgoulding, jokerman, mchappel, mizdebsk, msrb, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins 2.107.2, jenkins 2.116 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 20:00:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1566955, 1566956, 1567318    
Bug Blocks: 1566953    

Description Adam Mariš 2018-04-13 08:19:30 UTC 
The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist.

External References:

https://jenkins.io/security/advisory/2018-04-11/
Comment 1 Adam Mariš 2018-04-13 08:27:46 UTC 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1566955]