Arch Linux Security Advisory ASA-201908-22
=========================================
Severity: Medium
Date    : 2019-08-30
CVE-ID  : CVE-2019-10383 CVE-2019-10384
Package : jenkins
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1030

Summary
======
The package jenkins before version 2.192-1 is vulnerable to multiple
issues including cross-site request forgery and cross-site scripting.

Resolution
=========
Upgrade to 2.192-1.

# pacman -Syu "jenkins>=2.192-1"

The problems have been fixed upstream in version 2.192.

Workaround
=========
None.

Description
==========
- CVE-2019-10383 (cross-site scripting)

Jenkins did not properly escape the update site URL in some status
messages shown in the update center, resulting in a stored cross-site
scripting vulnerability that is exploitable by administrators and
affects other administrators.

- CVE-2019-10384 (cross-site request forgery)

Jenkins allowed the creation of CSRF tokens without a corresponding web
session ID. This is the result of an incomplete fix for SECURITY-626 in
the 2019-07-17 security advisory. This allowed attackers able to obtain
a CSRF token without associated session ID to implement CSRF attacks
with the following constraints. The token had to be created for the
anonymous user (and could only be used for actions the anonymous user
can perform). The victim’s IP address needed to remain unchanged
(unless the proxy compatibility option was enabled) The victim must not
have a valid web session at the time of the attack. CSRF token
generation now creates a web session if none exists yet, so that the
lack of a web session ID cannot be exploited.

Impact
=====
An attacker with administrative access can execute XSS attacks on other
administrators by using crafted status messages on the update center.
Further, an attacker is able to execute a CSRF attack under a very
narrow set of constraints.

References
=========
https://www.jenkins.io/security/advisory/2019-08-28/
https://security.archlinux.org/CVE-2019-10383
https://security.archlinux.org/CVE-2019-10384

ArchLinux: 201908-22: jenkins: multiple issues

September 4, 2019

Summary

- CVE-2019-10383 (cross-site scripting) Jenkins did not properly escape the update site URL in some status messages shown in the update center, resulting in a stored cross-site scripting vulnerability that is exploitable by administrators and affects other administrators.
- CVE-2019-10384 (cross-site request forgery)
Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory. This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the following constraints. The token had to be created for the anonymous user (and could only be used for actions the anonymous user can perform). The victim’s IP address needed to remain unchanged (unless the proxy compatibility option was enabled) The victim must not have a valid web session at the time of the attack. CSRF token generation now creates a web session if none exists yet, so that the lack of a web session ID cannot be exploited.

Resolution

Upgrade to 2.192-1. # pacman -Syu "jenkins>=2.192-1"
The problems have been fixed upstream in version 2.192.

References

https://www.jenkins.io/security/advisory/2019-08-28/ https://security.archlinux.org/CVE-2019-10383 https://security.archlinux.org/CVE-2019-10384

Severity
Package : jenkins
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1030

Workaround

None.

Related News

30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved