Bug 859302 (CVE-2012-4438)

Summary: CVE-2012-4438 Jenkins: core allows unprivileged users to insert data into Jenkins master
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, libra-onpremise-devel, mkhusid, rmillner, tkramer, vjuranek, wdecoste
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-14 19:36:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 859305    
Bug Blocks: 861484    

Description Kurt Seifried 2012-09-21 03:53:24 UTC 
Jenkins Security Advisory 2012-09-17

The first vulnerability in Jenkins core allows unprivileged users to insert 
data into Jenkins master, which can lead to remote code execution. For this 
vulnerability to be exploited, the attacker must have an HTTP access to a 
Jenkins master, and he must have a read access to Jenkins.

The following versions incorporate fixes to the vulnerabilities found in the 
Jenkins core.
-Main line users should upgrade to Jenkins 1.482
-LTS users should upgrade to 1.466.2

External reference:
http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb