Jenkins Security Advisory 2014-02-14 notes: "...Under some circimstances, a malicious user of Jenkins can configure job X to trigger another job Y that the user has no access to." Upstream fix: https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8 SECURITY-109/CVE-2014-2058 was assigned to an incomplete fix for this issue. As such, the following fix should also be applied to avoid becoming vulnerable to CVE-2014-2058: https://github.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e References: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7330 to the following vulnerability: Name: CVE-2013-7330 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7330 Assigned: 20140220 Reference: http://www.openwall.com/lists/oss-security/2014/02/21/2 Reference: https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8 Reference: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14 CloudBees Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions. Note that a second CVE was assigned as the initial fix was incomplete: Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2058 to the following vulnerability: Name: CVE-2014-2058 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2058 Assigned: 20140219 Reference: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14 BuildTrigger in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330. This second CVE does not apply to us as we have not yet fixed this issue, noting the above for awareness (to ensure we use the full and complete fix).
This issue has been addressed in the following products: Red Hat OpenShift Enterprise 2.1 Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html