Bug 1471046 - (CVE-2017-1000085) CVE-2017-1000085 jenkins-plugin-subversion: CSRF vulnerability and insufficient permission checks allow capturing credentials (SECURITY-303)
CVE-2017-1000085 jenkins-plugin-subversion: CSRF vulnerability and insufficie...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1472029
Blocks: 1471067
  Show dependency treegraph
Reported: 2017-07-14 06:05 EDT by Adam Mariš
Modified: 2017-08-18 01:25 EDT (History)
9 users (show)

See Also:
Fixed In Version: jenkins-plugin-subversion 2.9
Doc Type: If docs needed, set a value
Doc Text:
Subversion Plugin improperly checked permissions, requiring just Item/Build instead of Item/Configure when used. This allows a user to specify an attacker-controlled Subversion server which can then be used to collect credentials used by the Subversion plugin.
Story Points: ---
Clone Of:
Last Closed: 2017-08-14 12:43:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-07-14 06:05:42 EDT
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags).

This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them.

Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.

External References:

Comment 1 Adam Mariš 2017-07-14 06:05:59 EDT

Name: the Jenkins project
Upstream: Jesse Glick (CloudBees)
Comment 3 Trevor Jay 2017-08-14 12:43:15 EDT

This issue affects the versions of jenkins-plugin-subversion as shipped with Red Hat OpenShift Enterprise 3. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.