1032397 – (CVE-2013-6373) CVE-2013-6373 Jenkins: lack of access control in Exclusion plugin (SECURITY-53)

Bug 1032397 (CVE-2013-6373) - CVE-2013-6373 Jenkins: lack of access control in Exclusion plugin (SECURITY-53)

Summary: CVE-2013-6373 Jenkins: lack of access control in Exclusion plugin (SECURITY-53)

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2013-6373
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1032405
TreeView+	depends on / blocked

Reported:	2013-11-20 05:46 UTC by Kurt Seifried
Modified:	2021-02-17 07:10 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-11-21 23:54:28 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kurt Seifried 2013-11-20 05:46:12 UTC

Kohsuke Kawaguchi reports:

lack of access control in Exclusion plugin 

if an anonymous user views Jenkins, the link to the management function "Exclusion Administration" remains visible in the top left hand corent of the Jenkins main page, and can be clicked.

This was originally reported by mwebbe

Comment 2 Vincent Danen 2013-11-21 19:02:46 UTC

This is now public:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20

Comment 3 David Jorm 2013-11-21 22:20:44 UTC

Upstream patch commit:

https://github.com/jenkinsci/exclusion-plugin/commit/847f9aeb407c0f47046d184080c9e2c2e3720311

Comment 4 David Jorm 2013-11-21 23:54:28 UTC

Statement:

Not affected. This issue did not affect Jenkins as shipped with various Red Hat products, as they do not include the Jenkins Exclusion plugin.

Note You need to log in before you can comment on or make changes to this bug.