Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1067799 - (CVE-2013-7330) CVE-2013-7330 jenkins: configure a project you do not have access to (SECURITY-55)
CVE-2013-7330 jenkins: configure a project you do not have access to (SECURIT...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140211,repor...
: Security
Depends On: 1033371 1033372 1033373
Blocks: 1065822 1103334
  Show dependency treegraph
 
Reported: 2014-02-21 00:44 EST by Murray McAllister
Modified: 2015-03-02 04:57 EST (History)
9 users (show)

See Also:
Fixed In Version: jenkins 1.551
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-28 18:54:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Murray McAllister 2014-02-21 00:44:21 EST 
Jenkins Security Advisory 2014-02-14 notes:

"...Under some circimstances, a malicious user of Jenkins can configure job X to trigger another job Y that the user has no access to."

Upstream fix: https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8

SECURITY-109/CVE-2014-2058 was assigned to an incomplete fix for this issue. As such, the following fix should also be applied to avoid becoming vulnerable to CVE-2014-2058: https://github.com/jenkinsci/jenkins/commit/b6b2a367a7976be80a799c6a49fa6c58d778b50e

References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
Comment 1 Vincent Danen 2014-10-17 13:50:25 EDT 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7330 to
the following vulnerability:

Name: CVE-2013-7330
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7330
Assigned: 20140220
Reference: http://www.openwall.com/lists/oss-security/2014/02/21/2
Reference: https://github.com/jenkinsci/jenkins/commit/36342d71e29e0620f803a7470ce96c61761648d8
Reference: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

CloudBees Jenkins before 1.502 allows remote authenticated users to
configure an otherwise restricted project via vectors related to
post-build actions.

Note that a second CVE was assigned as the initial fix was incomplete:

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2058 to
the following vulnerability:

Name: CVE-2014-2058
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2058
Assigned: 20140219
Reference: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

BuildTrigger in CloudBees Jenkins before 1.551 and LTS before 1.532.2
allows remote authenticated users to bypass access restrictions and
execute arbitrary jobs by configuring a job to trigger another job.
NOTE: this vulnerability exists because of an incomplete fix for
CVE-2013-7330.


This second CVE does not apply to us as we have not yet fixed this issue, noting the above for awareness (to ensure we use the full and complete fix).
Comment 2 Kurt Seifried 2014-10-28 18:54:02 EDT 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.1

Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.