ArchLinux: 201904-7: jenkins: multiple issues

    Date24 Apr 2019
    CategoryArchLinux
    259
    Posted ByLinuxSecurity Advisories
    The package jenkins before version 2.172-1 is vulnerable to multiple issues including access restriction bypass and cross-site scripting.
    Arch Linux Security Advisory ASA-201904-7
    =========================================
    
    Severity: Medium
    Date    : 2019-04-11
    CVE-ID  : CVE-2019-1003049 CVE-2019-1003050
    Package : jenkins
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-948
    
    Summary
    =======
    
    The package jenkins before version 2.172-1 is vulnerable to multiple
    issues including access restriction bypass and cross-site scripting.
    
    Resolution
    ==========
    
    Upgrade to 2.172-1.
    
    # pacman -Syu "jenkins>=2.172-1"
    
    The problems have been fixed upstream in version 2.172.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2019-1003049 (access restriction bypass)
    
    A security issue has been found in Jenkins before 2.172, where the fix
    for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing
    remoting-based CLI authentication caches. This means that users who
    cached their CLI authentication before Jenkins was updated to 2.150.2
    and newer, or 2.160 and newer, would remain authenticated.
    
    - CVE-2019-1003050 (cross-site scripting)
    
    The f:validateButton form control for the Jenkins UI did not properly
    escape job URLs. This resulted in a cross-site scripting (XSS)
    vulnerability exploitable by users with the ability to control job
    names.
    
    Impact
    ======
    
    A remote attacker is able to bypass access restrictions or perform
    cross-site scripting.
    
    References
    ==========
    
    https://seclists.org/oss-sec/2019/q2/15
    https://jenkins.io/security/advisory/2019-04-10/
    https://security.archlinux.org/CVE-2019-1003049
    https://security.archlinux.org/CVE-2019-1003050
    
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    What is your favorite LinuxSecurity.com feature?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote
    17
    radio
    [{"id":"65","title":"Feature articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"66","title":"News","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"67","title":"HOWTOs","votes":"0","type":"x","order":"3","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.