1067799 – (CVE-2013-7330) CVE-2013-7330 jenkins: configure a project you do not have access to (SECURITY-55)

Bug 1067799 (CVE-2013-7330) - CVE-2013-7330 jenkins: configure a project you do not have access to (SECURITY-55)

Summary: CVE-2013-7330 jenkins: configure a project you do not have access to (SECURIT...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-7330
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1033371 1033372 1033373
Blocks:	1065822 1103334
TreeView+	depends on / blocked

Reported:	2014-02-21 05:44 UTC by Murray McAllister
Modified:	2019-09-29 13:13 UTC (History)
CC List:	9 users (show)
Fixed In Version:	jenkins 1.551
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-28 22:54:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Murray McAllister 2014-02-21 05:44:21 UTC

Jenkins Security Advisory 2014-02-14 notes:

"...Under some circimstances, a malicious user of Jenkins can configure job X to trigger another job Y that the user has no access to."

Upstream fix: https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8

SECURITY-109/CVE-2014-2058 was assigned to an incomplete fix for this issue. As such, the following fix should also be applied to avoid becoming vulnerable to CVE-2014-2058: https://github.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e

References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

Comment 1 Vincent Danen 2014-10-17 17:50:25 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7330 to
the following vulnerability:

Name: CVE-2013-7330
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7330
Assigned: 20140220
Reference: http://www.openwall.com/lists/oss-security/2014/02/21/2
Reference: https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8
Reference: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

CloudBees Jenkins before 1.502 allows remote authenticated users to
configure an otherwise restricted project via vectors related to
post-build actions.

Note that a second CVE was assigned as the initial fix was incomplete:

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2058 to
the following vulnerability:

Name: CVE-2014-2058
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2058
Assigned: 20140219
Reference: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

BuildTrigger in CloudBees Jenkins before 1.551 and LTS before 1.532.2
allows remote authenticated users to bypass access restrictions and
execute arbitrary jobs by configuring a job to trigger another job.
NOTE: this vulnerability exists because of an incomplete fix for
CVE-2013-7330.


This second CVE does not apply to us as we have not yet fixed this issue, noting the above for awareness (to ensure we use the full and complete fix).

Comment 2 Kurt Seifried 2014-10-28 22:54:02 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.1

Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html

Note You need to log in before you can comment on or make changes to this bug.