CloudBees Security Advisory 2013-05-02

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

SECURITY-63 / CVE-2013-2034

This creates a cross-site request forgery (CSRF) vulnerability on Jenkins master, where an anonymous attacker can trick an administrator to execute arbitrary code on Jenkins master by having him open a specifically crafted attack URL.

There's also a related vulnerability where the permission check on this ability is done imprecisely, which may affect those who are running Jenkins instances with a custom authorization strategy plugin.

SECURITY-67 / CVE-2013-2033

This creates a cross-site scripting (XSS) vulnerability, where an attacker with a valid user account on Jenkins can execute JavaScript in the browser of other users, if those users are using certain browsers.

SECURITY-69 / CVE-2013-2034

This is another CSRF vulnerability that allows an attacker to cause a deployment of binaries to Maven repositories. This vulnerability has the same CVE ID as SEUCRITY-63.

SECURITY-71 / CVE-2013-1808

This creates a cross-site scripting (XSS) vulnerability.

Severity

SECURITY-63 is rated critical , since it enables arbitrary code execution.

SECURITY-71 and SECURITY-69 are rated as high , as it allows malicious users to gain unauthorized access to the information and impersonate the administrator of the system. In addition, this allows Jenkins inside a firewall to be attacked from outside. On the other hands, this attack can be only mounted passively, and the attacker needs to know the URL of your Jenkins installations.

SECURITY-67 is rated medium , as it requires an attacker to be a valid user of Jenkins with a write access.

Fix

  • Main line users should upgrade to Jenkins 1.514

  • LTS users should upgrade to 1.509.1

  • Users of Jenkins Enterprise by CloudBees 1.466.x should upgrade to 1.466.14.1

  • Users of Jenkins Enterprise by CloudBees 1.480.x should upgrade to 1.480.4.1

  • Fix has already been deployed to DEV@cloud

All the prior versions are affected by these vulnerabilities.

More Security Advisories
From code to customer. Continuously advancing your business.
Product Capabilities
Resources
Why CloudBees
Policy Links
Developers
© 2023 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders. Jenkins® is a registered trademark of LF Charities Inc.