Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1044976 - (CVE-2013-5573) CVE-2013-5573 jenkins: default markup formatter permits offsite-bound forms (SECURITY-88)
CVE-2013-5573 jenkins: default markup formatter permits offsite-bound forms (...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131216,repor...
: Security
Depends On: 1033371 1033372 1033373
Blocks: 1044977 1103334
  Show dependency treegraph
 
Reported: 2013-12-19 06:10 EST by Ratul Gupta
Modified: 2015-08-04 03:49 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Ratul Gupta 2013-12-19 06:10:24 EST 
The default installation and configuration of Jenkins CI is prone to a security vulnerability. The Jenkins CI default markup formatter permits offsite-bound forms. This vulnerability could be exploited by a remote attacker (a malicious user) to inject malicious persistent HTML script code (application side).

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily mitigate the flaw by implementing the following workaround:

'MyspacePolicy' permits
tag("form", "action", ONSITE_OR_OFFSITE_URL, "method");

Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely.

References:
http://seclists.org/fulldisclosure/2013/Dec/159
Comment 2 Kurt Seifried 2014-10-28 18:54:17 EDT 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.1

Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html
Comment 3 Kurt Seifried 2014-10-28 18:54:17 EDT 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.1

Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html
Comment 4 Kurt Seifried 2015-07-15 21:22:24 EDT 
Mitigation:

'MyspacePolicy' permits
tag("form", "action", ONSITE_OR_OFFSITE_URL, "method");

Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.