Bug 1620354 (CVE-2018-1999047) - CVE-2018-1999047 jenkins: Unauthorized users could cancel scheduled restarts initiated from the update center
Summary: CVE-2018-1999047 jenkins: Unauthorized users could cancel scheduled restarts ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-1999047
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1620355
Blocks: 1620339
TreeView+ depends on / blocked
 
Reported: 2018-08-23 04:45 UTC by Sam Fowler
Modified: 2021-02-16 23:09 UTC (History)
13 users (show)

Fixed In Version: jenkins 2.121.3, jenkins 2.138
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:36:46 UTC
Embargoed:

Attachments (Terms of Use)

Description Sam Fowler 2018-08-23 04:45:10 UTC 
Jenkins before LTS version 2.121.3 and weekly version 2.138 allow unauthorized users to cancel scheduled restarts initiated from the update center.

Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center ("Restart Jenkins when installation is complete and no jobs are running") due to a lack of permission checks.


External Reference:

https://jenkins.io/security/advisory/2018-08-15/#SECURITY-1076
Comment 1 Sam Fowler 2018-08-23 04:46:06 UTC 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1620355]
Comment 2 Jason Shepherd 2018-10-31 07:06:55 UTC 
By default Jenkins doesn't setup users with just Overall/Read permission. It's possible to setup such users but it's best not to rely on Agent/Connect permission to prevent cancellation of restart jobs because of this issue on OpenShift Container Platform 3.10 and earlier.

Upgrade to OpenShift Container Platform 3.11 to pick up a fix for this issue.
Note You need to log in before you can comment on or make changes to this bug.