Bug 1656865 (CVE-2018-1000861)
Summary: | CVE-2018-1000861 jenkins: code execution through crafted URLs (SECURITY-595) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abhgupta, ahardin, aos-bugs, bleanhar, bparees, ccoleman, dbaker, dedgar, eparis, java-sig-commits, jgoulding, jokerman, mchappel, mizdebsk, msrb, security-response-team, sfowler, sthangav, trankin, travi, wzheng, ymittal |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jenkins 2.154, Jenkins LTS 2.138.4, Jenkins LTS 2.150.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-27 03:20:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1656866, 1657084, 1657085, 1657086, 1657087, 1657088, 1657089, 1657090, 1657091, 1657092, 1657093 | ||
Bug Blocks: | 1656867 |
Description
Laura Pardo
2018-12-06 14:33:06 UTC
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1656866] From upstream advisory: As of publication of this advisory, we are aware of the following potential attacks in the latest Jenkins releases that do not yet contain this fix: Unauthenticated users can invalidate all sessions Users with Overall/Read permission could create new user objects in memory. Users with Overall/Read access could manually kick off otherwise periodically executed runs of implementations of AsyncPeriodicWork. Given the vast potential attack surface, we fully expect other attacks, that we are not currently aware of, to be possible on Jenkins releases that do not have this fix applied. This is reflected in the high score we assigned to this issue, rather than limiting the score to the impact through known issues. Statement: This vulnerability is only exploitable by a user with developer permissions. Therefore this vulnerability is rated Important for OpenShift Container Platform 3.x. PR https://github.com/openshift/jenkins/pull/749 created for 3.11 The PR I mentioned has merged, updating our centos image. Job https://buildvm.openshift.eng.bos.redhat.com:8443/job/devex/job/devex%252Fjenkins-bump-version/27/ updated the RPM used in the 3.11 z stream to point to 2.138.4 |