Jenkins Security Advisory 2012-11-20 The first vulnerability is commonly known as HTTP response splitting vulnerability, which can act as a cross-site scripting vulnerability. This allows an anonymous attacker to inject malicious HTMLs to pages served by Jenkins. This in turn allows an attacker to escalate his privileges by hijacking sessions of other users. To mount this attack, the attacker needs to know the exact URL of your Jenkins installation. This vulnerability affects those who run Jenkins on its built-in servlet container (this includes all the native packages.) Fix: Main line users should upgrade to Jenkins 1.491 LTS users should upgrade to 1.480.1 External URLs: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20 http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-11-20.cb
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise Via RHSA-2013:0220 https://rhn.redhat.com/errata/RHSA-2013-0220.html