CloudBees Security Advisory 2013-05-02
This advisory announces multiple security vulnerabilities that were found in Jenkins core.
SECURITY-63 / CVE-2013-2034
This creates a cross-site request forgery (CSRF) vulnerability on Jenkins master, where an anonymous attacker can trick an administrator to execute arbitrary code on Jenkins master by having him open a specifically crafted attack URL.
There's also a related vulnerability where the permission check on this ability is done imprecisely, which may affect those who are running Jenkins instances with a custom authorization strategy plugin.
SECURITY-67 / CVE-2013-2033
SECURITY-69 / CVE-2013-2034
This is another CSRF vulnerability that allows an attacker to cause a deployment of binaries to Maven repositories. This vulnerability has the same CVE ID as SEUCRITY-63.
SECURITY-71 / CVE-2013-1808
This creates a cross-site scripting (XSS) vulnerability.
SECURITY-63 is rated critical , since it enables arbitrary code execution.
SECURITY-71 and SECURITY-69 are rated as high , as it allows malicious users to gain unauthorized access to the information and impersonate the administrator of the system. In addition, this allows Jenkins inside a firewall to be attacked from outside. On the other hands, this attack can be only mounted passively, and the attacker needs to know the URL of your Jenkins installations.
SECURITY-67 is rated medium , as it requires an attacker to be a valid user of Jenkins with a write access.
Main line users should upgrade to Jenkins 1.514
LTS users should upgrade to 1.509.1
Users of Jenkins Enterprise by CloudBees 1.466.x should upgrade to 1.466.14.1
Users of Jenkins Enterprise by CloudBees 1.480.x should upgrade to 1.480.4.1
Fix has already been deployed to DEV@cloud
All the prior versions are affected by these vulnerabilities.