ArchLinux: 201908-22: jenkins: multiple issues

    Date04 Sep 2019
    CategoryArchLinux
    544
    Posted ByLinuxSecurity Advisories
    The package jenkins before version 2.192-1 is vulnerable to multiple issues including cross-site request forgery and cross-site scripting.
    Arch Linux Security Advisory ASA-201908-22
    ==========================================
    
    Severity: Medium
    Date    : 2019-08-30
    CVE-ID  : CVE-2019-10383 CVE-2019-10384
    Package : jenkins
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1030
    
    Summary
    =======
    
    The package jenkins before version 2.192-1 is vulnerable to multiple
    issues including cross-site request forgery and cross-site scripting.
    
    Resolution
    ==========
    
    Upgrade to 2.192-1.
    
    # pacman -Syu "jenkins>=2.192-1"
    
    The problems have been fixed upstream in version 2.192.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2019-10383 (cross-site scripting)
    
    Jenkins did not properly escape the update site URL in some status
    messages shown in the update center, resulting in a stored cross-site
    scripting vulnerability that is exploitable by administrators and
    affects other administrators.
    
    - CVE-2019-10384 (cross-site request forgery)
    
    Jenkins allowed the creation of CSRF tokens without a corresponding web
    session ID. This is the result of an incomplete fix for SECURITY-626 in
    the 2019-07-17 security advisory. This allowed attackers able to obtain
    a CSRF token without associated session ID to implement CSRF attacks
    with the following constraints. The token had to be created for the
    anonymous user (and could only be used for actions the anonymous user
    can perform). The victim’s IP address needed to remain unchanged
    (unless the proxy compatibility option was enabled) The victim must not
    have a valid web session at the time of the attack. CSRF token
    generation now creates a web session if none exists yet, so that the
    lack of a web session ID cannot be exploited.
    
    Impact
    ======
    
    An attacker with administrative access can execute XSS attacks on other
    administrators by using crafted status messages on the update center.
    Further, an attacker is able to execute a CSRF attack under a very
    narrow set of constraints.
    
    References
    ==========
    
    https://jenkins.io/security/advisory/2019-08-28/
    https://security.archlinux.org/CVE-2019-10383
    https://security.archlinux.org/CVE-2019-10384
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"22","type":"x","order":"1","pct":55,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":12.5,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"13","type":"x","order":"3","pct":32.5,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.