ArchLinux: 201904-7: jenkins: multiple issues
Summary
- CVE-2019-1003049 (access restriction bypass)
A security issue has been found in Jenkins before 2.172, where the fix
for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing
remoting-based CLI authentication caches. This means that users who
cached their CLI authentication before Jenkins was updated to 2.150.2
and newer, or 2.160 and newer, would remain authenticated.
- CVE-2019-1003050 (cross-site scripting)
The f:validateButton form control for the Jenkins UI did not properly
escape job URLs. This resulted in a cross-site scripting (XSS)
vulnerability exploitable by users with the ability to control job
names.
Resolution
Upgrade to 2.172-1.
# pacman -Syu "jenkins>=2.172-1"
The problems have been fixed upstream in version 2.172.
References
https://seclists.org/oss-sec/2019/q2/15 https://www.jenkins.io/security/advisory/2019-04-10/ https://security.archlinux.org/CVE-2019-1003049 https://security.archlinux.org/CVE-2019-1003050
Workaround
None.