This advisory announces two security vulnerabilities that were found in Jenkins core.
The first vulnerability is commonly known as HTTP response splitting vulnerability, which can act as a cross-site scripting vulnerability. This allows an anonymous attacker to inject malicious HTMLs to pages served by Jenkins. This in turn allows an attacker to escalate his privileges by hijacking sessions of other users. To mount this attack, the attacker needs to know the exact URL of your Jenkins installation. This vulnerability affects those who run Jenkins on its built-in servlet container (this includes all the native packages.)
The second vulnerability is so-called open redirect vulnerability. This allows an anonymous attacker to create an URL that looks as if it’s pointing to Jenkins, yet it actually lands on the site that the attacker controls. This can be therefore used as a basis for phishing.
These vulnerabilities are discovered by Soroush Dalili, and we’d like to thank him.
CloudBees rates these vulnerabilities as high, when combined, as they allow malicious users to gain unauthorized access to the information and impersonate the administrator of the system. On the other hands, this attack can be only mounted passively, and the attacker needs to know the URL of your Jenkins installations.
- Main line users should upgrade to Jenkins 1.491
- LTS users should upgrade to 1.480.1
- Users of Jenkins Enterprise by CloudBees 1.424.x should upgrade to 1.424.6.13
- Users of Jenkins Enterprise by CloudBees 1.447.x should upgrade to 1.447.4.1
- Users of Jenkins Enterprise by CloudBees 1.466.x should upgrade to 1.466.10.1
- The fix has already been rolled out to DEV@cloud.
All the prior versions are affected by these vulnerabilities.