1282362 – (CVE-2015-5319) CVE-2015-5319 jenkins: XXE injection into job configurations via CLI (SECURITY-173)

Bug 1282362 (CVE-2015-5319) - CVE-2015-5319 jenkins: XXE injection into job configurations via CLI (SECURITY-173)

Summary: CVE-2015-5319 jenkins: XXE injection into job configurations via CLI (SECURIT...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-5319
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1282375
TreeView+	depends on / blocked

Reported:	2015-11-16 08:55 UTC by Martin Prpič
Modified:	2021-02-17 04:42 UTC (History)
CC List:	14 users (show)
Fixed In Version:	Jenkins 1.638, Jenkins 1.625.2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-22 19:23:43 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:0070	0	normal	SHIPPED_LIVE	Important: Red Hat OpenShift Enterprise 3.1.1 bug fix and enhancement update	2016-01-27 00:12:41 UTC
Red Hat Product Errata	RHSA-2016:0489	0	normal	SHIPPED_LIVE	Important: Red Hat OpenShift Enterprise 2.2.9 security, bug fix, and enhancement update	2016-03-22 20:49:04 UTC

Description Martin Prpič 2015-11-16 08:55:34 UTC

The following flaw was found in Jenkins:

When creating a job using the create-job CLI command, external entities are not discarded (nor processed). If these job configurations are processed by another user with an XML-aware tool (e.g. using get-job/update-job), information from that user's computer may be disclosed to Jenkins and the attacker.

Exploiting this flaw requires a high degree of specific user interaction, and the limited information that can be gained this way.

External References:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Comment 1 Martin Prpič 2015-11-16 09:11:22 UTC

Fixed in Fedora in:

jenkins-1.609.3-3.fc22
jenkins-1.625.2-2.fc23
jenkins-1.625.2-2.fc24

Comment 3 errata-xmlrpc 2016-01-26 19:17:47 UTC

This issue has been addressed in the following products:

  RHEL 7 Version of OpenShift Enterprise 3.1

Via RHSA-2016:0070 https://access.redhat.com/errata/RHSA-2016:0070

Comment 4 errata-xmlrpc 2016-03-22 16:51:52 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.2

Via RHSA-2016:0489 https://rhn.redhat.com/errata/RHSA-2016-0489.html

Note You need to log in before you can comment on or make changes to this bug.