CloudBees Security Advisory 2013-05-02
This advisory announces multiple security vulnerabilities that were found in Jenkins core.
SECURITY-63 / CVE-2013-2034
This creates a cross-site request forgery (CSRF) vulnerability on Jenkins master, where an anonymous attacker can trick an administrator to execute arbitrary code on Jenkins master by having him open a specifically crafted attack URL.
There's also a related vulnerability where the permission check on this ability is done imprecisely, which may affect those who are running Jenkins instances with a custom authorization strategy plugin.
SECURITY-67 / CVE-2013-2033
This creates a cross-site scripting (XSS) vulnerability, where an attacker with a valid user account on Jenkins can execute JavaScript in the browser of other users, if those users are using certain browsers.
SECURITY-69 / CVE-2013-2034
This is another CSRF vulnerability that allows an attacker to cause a deployment of binaries to Maven repositories. This vulnerability has the same CVE ID as SEUCRITY-63.
SECURITY-71 / CVE-2013-1808
This creates a cross-site scripting (XSS) vulnerability.
Severity
SECURITY-63 is rated critical , since it enables arbitrary code execution.
SECURITY-71 and SECURITY-69 are rated as high , as it allows malicious users to gain unauthorized access to the information and impersonate the administrator of the system. In addition, this allows Jenkins inside a firewall to be attacked from outside. On the other hands, this attack can be only mounted passively, and the attacker needs to know the URL of your Jenkins installations.
SECURITY-67 is rated medium , as it requires an attacker to be a valid user of Jenkins with a write access.
Fix
Main line users should upgrade to Jenkins 1.514
LTS users should upgrade to 1.509.1
Users of Jenkins Enterprise by CloudBees 1.466.x should upgrade to 1.466.14.1
Users of Jenkins Enterprise by CloudBees 1.480.x should upgrade to 1.480.4.1
Fix has already been deployed to DEV@cloud
All the prior versions are affected by these vulnerabilities.